Skip to content

The United States does not yet have a single federal data protection law. To date, an increasing number of states have passed their own laws and/or updated existing ones, and bills have been introduced, are in progress, or have failed in many others.

There are a number of other long standing privacy laws that target specific types of information or human demographics in the US, like the Health Insurance Portability and Accountability Act (HIPAA) for health and the Children’s Online Privacy Protection Act (COPPA) for children’s safety. This does not make it easy to keep track of all or achieve compliance for all relevant regulations that address personal data.

The first and most influential state-level consumer privacy law passed in the United States is the California Consumer Privacy Act (CCPA). It takes some influence from the European Union’s General Data Protection Regulation (GDPR) and has, in turn, influenced privacy bills drafted by other states, including the Virginia Consumer Data Protection Act (VCDPA).

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a US state-level consumer privacy law that was passed in 2018 and came into effect on January 1, 2020. It applies exclusively to residents of California, known as ”consumers” under the law, and regulates the protection of their personal information. 

It’s worth noting, however, that California is the most populous US state, with a population of over 39 million people, as well as having the world’s fifth largest economy, and a number of the world’s largest and most influential tech companies are headquartered there. So the state has an outsized influence on many fronts.

A consumer under the law is a natural person who is a resident of California, however identified, including by means of a unique identifier. A “resident” means:

and

The CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023, and granted additional rights to consumers and established the California Privacy Protection Agency (CPPA), among other things. Enforcement of the CPRA began in February 2024 after a legal challenge. Enforcement had been scheduled to begin on July 1, 2023.

Definitions under the California Consumer Privacy Act (CCPA) data privacy law

The CCPA, as amended by the CPRA, defines several terms that cover the data it protects and data processing activities. Unlike most other data privacy laws, California does not use the terms “controller” or “processor”.

Personal information under the CCPA/CPRA

The CCPA/CPRA law defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA/CPRA’s definition of personal information is wide ranging, and examples under the law include, among other things: 

Personal information is known as personal data under many international and other state-level data privacy laws in the US.

Sensitive personal information under the CCPA/CPRA

Sensitive personal information is that which can cause harm to a consumer if misused, and includes, among other things: 

Unique identifier under the CCPA/CPRA

The CCPA/CPRA law defines a unique identifier or “unique personal identifier” as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.”

The law specifies that a family means a custodial parent or guardian and any children under 18 years of age who are in their custody.

Examples of unique identifiers are:

The law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.“

The following does not constitute valid consent under the CCPA/CPRA:

Sale under the CCPA/CPRA

The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”

A business is not considered to have sold information when:

Who must comply with the California Consumer Privacy Act (CCPA)?

The CCPA/CPRA law applies to for profit businesses that operate in California and collect the personal information of the state’s residents, if they meet any one the following thresholds: 

Interestingly, more recently passed privacy laws in other states have abandoned the revenue-only compliance threshold. Whether or not the company is headquartered in or has an office in California is not relevant to compliance. All companies that meet the threshold must meet CCPA/CPRA obligations if they are doing business with California residents, regardless of where in the world they are based.

What are consumers’ rights under the California Consumer Privacy Act (CCPA) laws?

The CCPA, as amended by the CPRA, grants consumers several rights to enable them to protect their personal information and control how it’s used.

In addition to these rights that are explicitly stated in the CCPA/CPRA, consumers also have the right to data portability. Where a consumer has exercised their right to know and access personal information, businesses must present the consumer’s specific personal information in a “structured, commonly used, machine-readable format.”

Obligations under the California Consumer Privacy Act (CCPA) Rules

Businesses have specific CCPA/CPRA obligations to protect consumers’ personal data, ensuring transparency and accountability in their data handling practices.

Notices required under the CCPA/CPRA

The CCPA/CPRA requires businesses to provide two distinct notices to consumers: a notice at collection and a privacy policy.

A notice at collection must be displayed to consumers at or before the point where the business collects their personal information. This notice must clearly list: 

The notice at collection should contain a link to the business’s privacy policy.

The CCPA privacy policy must include:  

Businesses commonly make their privacy policy accessible on their websites, typically found via a link in the footer so that consumers can easily find and review the privacy policy.

In most cases, the CCPA/CPRA does not require explicit consent from consumers for the collection, use, or sharing of their personal information. It operates on an opt-out model, where consumers are assumed to consent to data use unless they choose to opt out. There is an exception for the personal information belonging to minors:

Consumers have the right to opt out of the sale and several other uses of their personal information and to limit the use or disclosure of sensitive personal information.

Opt-out requests under the CCPA/CPRA

Businesses must provide options for consumers to opt out of:

The law mandates specific ways for businesses to provide consumers with opt-out options. 

  1. Through a clear and conspicuous link on the business’s homepage titled “Do Not Sell Or Share My Personal Information,” which directs consumers to a page from which they can opt out of the sale or sharing of their personal information.
  2. Through a clear and conspicuous link titled “Limit The Use Of My Sensitive Personal Information,” which enables consumers to limit the use or disclosure of their sensitive personal information.
  3. If a business prefers, it can use a single link that combines both functions, as long as it effectively enables consumers to opt out of both, the sale, sharing, targeted advertising, or profiling from their personal information, and limiting the use or disclosure of their sensitive personal information.

Businesses must also respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, through which consumers can set their consent preferences once and communicate them automatically across various websites and online services.

Consumer requests for right to know, correct, and delete

Consumers have the right to request information about the personal data collected about them, as well as to correct inaccuracies or to delete that data. 

The law requires businesses to provide at least two designated methods for consumers to submit their requests, which must include a toll-free telephone number. For businesses that operate exclusively online and have a direct relationship with consumers, an email address is sufficient.

If a business maintains a website, it should enable consumers to submit requests for information, correction, and deletion directly through the site. 

Consumers can request data that was collected up to 12 months prior to the date of their request. Businesses have 45 days from the date of the request to disclose the requested information, and they may seek an extension of an additional 45 days under certain circumstances

While businesses may require consumers to login to an existing account to verify identity and submit a request, they cannot require consumers to create a new account for this purpose.

Contracts under the CCPA/CPRA

Businesses that collect consumers’ personal information sometimes sell or share consumers’ personal information with a third party, or disclose the personal information to a service provider or contractor for business purposes.

The CCPA/CPRA requires businesses to enter into agreements with these third parties, service providers, or contractors. The agreement must outline that:

Contracts with service providers and contractors must also prohibit them from:

Data security under the CCPA/CPRA

Businesses that collect consumers’ personal information are obligated to safeguard the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure. The CCPA/CPRA requires businesses to implement “reasonable security procedures and practices” for this purpose.

Data minimization under the CCPA/CPRA

Under the CCPA/CPRA, businesses can collect, use, store, and share consumers’ personal information only to the extent needed to achieve the original purpose for collecting the information, or for another compatible purpose. The personal information must not be processed in ways that conflict with the original purposes.

This requirement is a key aspect of data minimization, which means that companies must limit their handling of personal data to what is essential for the intended purposes.

The CPPA, in its Enforcement Advisory No. 2024-1, has highlighted the various CCPA regulations that reflect the principle of data minimization by prohibiting businesses from requiring consumers to share additional information “beyond what is necessary.”

Enforcement and penalties under the California Consumer Privacy Act (CCPA)

The CCPA/CPRA has certain unique characteristics when it comes to enforcing the state’s consumer privacy law.

Unlike most states, where the Attorney General has sole enforcement authority, California permits both the Attorney General and CPPA to enforce the law. However, the CPPA cannot limit the Attorney General’s authority and must stay an administrative action or investigation when requested. A business cannot be penalized by both the Attorney General and the CPPA.

Violations of the CCPA/CPRA attract civil penalties of up to:

The CCPA/CPRA is also the only consumer privacy law in the US that grants consumers a private right of action, although it is limited to specific situations. Consumers can sue businesses in the event of a data breach or personal security information breach, which occurred because the business failed to implement reasonable security measures to protect the personal information and that results in non-encrypted or non-redacted data being stolen.

Consumers must give businesses 30 days to cure the violation in the event of a data breach before they can bring an action against the business. Of note is that when the CCPA came into effect, the Attorney General also provided a 30-day cure period; however, that has now sunset.

Consumers can bring an action: 

If a consumer believes their rights, other than those arising out of a data breach, have been violated, they may file a complaint with the Attorney General or the CPPA.

GDPR vs. CCPA: a summary

The EU’s General Data Protection Regulation (GDPR) and the CCPA/CPRA are landmark regulations when it comes to protecting data privacy. 

The GDPR is considered one of the most stringent data protection regulations worldwide, and has influenced many other regulations, such as Brazil’s General Data Protection Law (LGPD) and the CCPA.

The CCPA was the first state-level consumer privacy law passed in the US and has many unique provisions, such as dual enforcement and private right of action.

We look at the two regulations side by side to examine some of the similarities and differences.

CCPAGDPR
Scope and applicabilityApplies to for-profit businesses that collect personal information from California residents and either:
– have annual gross revenues exceeding USD 26,625,000 for the previous calendar year
– receive, buy, or sell personal information of 100,000 or more consumers or households
– earn more than half of their annual revenue from the sale of consumers’ personal information
It applies to any business that meets these conditions, regardless of where the business is located (extraterritoriality).
Applies to any entity that processes the personal data of individuals located in the EU/EEA and either:
– offers them goods and services
– monitors their behavior
Like the CCPA, it applies regardless of where the business is located (extraterritoriality). 
The GDPR applies to non-profit organizations and government agencies as well as for-profit businesses.
What it protectsPersonal information of California residents, known as consumers, even if they are temporarily outside the state. Personal information includes that which can be linked to a consumer or a household.Personal data of individuals located in the EU territory, known as data subjects. Applies to individuals only and does not extend to households.
ConsentOperates on an opt-out consent model and doesn’t require prior consent to collect and process data in most cases. Consumers can opt out of the use of their data in specific cases.Operates on an opt-in consent model, meaning that organizations cannot collect or process data unless the user gives their explicit consent.
Legal basesThere are no specific legal bases for collecting personal information.Personal data can only be collected if there is a legal basis: 
– consent
– to perform a contract
– legal obligation
– to protect vital interests
– in the public interest
– legitimate interest
Enforcement authorityCalifornia Attorney General and California Privacy Protection Agency (CPPA).Data Protection Authorities (DPA) of the EU Member States.
Private right of actionConsumers can directly sue businesses only in the event of a data breach caused by a failure to take security measures, in specific circumstances.Data subjects can lodge complaints with the DPA in their state and receive compensation if they have suffered material or non-material damage.
Civil penaltiesUp to USD 2,500 per non-intentional violation and USD 7,500 per intentional violation, and statutory damages for data breach.Up to 2 percent of annual turnover or EU 10 million, whichever is higher, for certain violations. Up to 4 percent of annual turnover or EU 20 million, whichever is higher, for more serious violations.

What does the CCPA/CPRA mean for companies’ websites?

If a business meets one of the CCPA/CPRA thresholds and has an online property, it must take several steps to meet CCPA/CPRA obligations.

Businesses can use a consent management platform (CMP) like Usercentrics CMP to achieve CCPA compliance.

A CMP enables websites to display cookie consent banners with straightforward links or buttons that enable users to opt out of data processing. It can also handle cookies and other tracking technologies, blocking their use when a consumer exercises their right to opt out.

CMPs also help websites provide clear information to users about the types of data being collected, the purposes for collection, and the third parties that may receive this data, in accordance with the CCPA/CPRA and other data privacy laws.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

The Utah Consumer Privacy Act (UCPA) came into effect on December 31, 2023, and is one of the increasing number of statewide laws in the US that aim to protect the rights of consumers whose data is processed by businesses.

When it was passed, the UCPA was the fourth piece of legislation of its kind in the US. Lawmakers were able to draw on earlier regulations, like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA), which were both based on the first and most stringent US privacy law: the California Consumer Protection Act (CCPA).

With this foundation, the UCPA strikes a finer balance between consumer rights and business responsibilities. Overall, the narrower scope of its definitions and compliance requirements means that it can be seen as “lighter” and more business-friendly than the majority of other state-level data privacy laws in place. 

What is the Utah Consumer Privacy Act?

The UCPA gives consumers in Utah a degree of control over how businesses are able to collect and use their data. Under the UCPA, individuals have the right to know if a business is processing their personal data, to access and have that data deleted, and to opt out from their data being sold.

Unlike other similar data privacy laws, the UCPA doesn’t place limits on the data that businesses can gather and what they can do with it. The responsibility for minimizing the collection and processing of data rests with the consumer.

UPCA summary

The UCPA protects the privacy rights of Utah residents and establishes data privacy responsibilities for companies that operate in the state and process the data of the nearly 4 million individuals who live there.

It requires businesses that collect data to protect the confidentiality and integrity of that data to reduce the risk of harm associated with processing it. Organizations must also provide consumers with clear and accessible privacy notices and inform them about how they can opt out of the sale of their data.

Like other US state laws, the UCPA uses an opt-out model for user consent, rather than the opt-in model in place for regulations such as the General Data Protection Regulation (GDPR)

This means that consumers’ personal data can be collected, sold, or used for targeted advertising without first obtaining their explicit and informed consent. The only exception here relates to children’s data. In that case, consent must be obtained from a parent or legal guardian. 

Unlike most US data privacy laws, the UCPA does not require prior consent for the processing of data categorized as sensitive. Companies just need to notify consumers about collection and use and provide an opt-out option.

The sale of data is one of the key focuses for the UCPA. The Act defines any “exchange of personal data for monetary consideration by a controller to a third party” as a sale. 

This definition doesn’t include non-monetary exchanges, which means that it doesn’t apply to data sharing among businesses, differentiating it from the CCPA and California Privacy Rights Act (CPRA).

However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising. If a consumer exercises this right, their data can no longer be used. 

Updates to the UCPA

On March 13, 2024, Utah became the first state to enact an AI-focused consumer protection law. The Utah Artificial Intelligence Policy Act (UAIP), which came into effect on May 1, 2024, modifies the UCPA and places certain duties on businesses using generative AI in the course of their business. 

The act focuses mainly on businesses operating in regulated industries, i.e. those where a person requires a license or state certificate to work. These businesses must disclose to customers that they are interacting with generative AI or materials that are created by generative AI. 

It also requires businesses in non-regulated sectors to disclose the use of this technology if asked or prompted by a customer. However, it’s not clear what mechanisms an organization must put in place to field these requests or how the disclosure should take place.

The UAIP has also created an Office of Artificial Intelligence Policy that is tasked with setting up an Artificial Intelligence Learning Laboratory Program. The goal is that this AI Lab will support AI-related regulation and development within the state.

Definitions under the Utah Consumer Privacy Act

The UCPA applies to controllers or processors of consumer data. It defines these terms as follows. 

Controller under UCPA

Controller means “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” (Section 101.12 UCPA)

Processor under UCPA

Processor means “a person who processes personal data on behalf of a controller.” In relation to controllers and processors, “person” includes natural persons or commercial or noncommercial entities, including third parties, that process data and meet the applicability criteria. (Section 101.26 UCPA)

Consumer under UCPA

Consumer means “an individual who is a resident of the state acting in an individual or household context” who is not “acting in an employment or commercial context.” (Section 101.10 UCPA)

Personal data under UCPA

“Personal data” refers to “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” (Section 101.24 UCPA)

There are specific forms of personal data that can make an individual directly identifiable (e.g. a name or email address), while others may not qualify on their own (e.g. an IP address). However, it’s important to note that non-identifying data may become identifying when it’s aggregated with other kinds of personal data.

Exclusions to the definition of personal data

The UPCA sets out a number of exclusions in relation to personal data. This includes information that:

Sensitive data under UCPA

Unlike some other data privacy laws, the UCPA does not require businesses to obtain consent for processing sensitive personal data. 

However, controllers do have to clearly notify consumers and provide the opportunity for them to opt out of having their sensitive personal data processed before such data is collected and processed. Like non-sensitive data, consumers can also opt out of processing for sensitive data later, at which point processing must cease.

The Act (Section 101.32 UCPA) defines “sensitive data” as personal data that includes or reveals:

Who must comply with the Utah Consumer Privacy Act?

Similar to other data privacy laws, the UCPA has provisions that provide rights to consumers and place obligations on businesses, provided that they meet certain criteria. 

UCPA applies to businesses that: 

or

The UCPA differs from some of the other data privacy laws as entities have to meet multiple criteria for it to apply. This narrows its scope. For example, the revenue threshold will exclude smaller SMEs from qualifying. Many of the more recently passed US state-level privacy laws do not include a revenue-centric threshold, though Utah is one of the earlier ones that does.

Unsure if the UCPA applies to your business? Use our UCPA checklist to understand if the Act applies to your business, and what you need to do to be compliant.

Exemptions to Utah Consumer Privacy Act compliance

Organizational exemptions

In addition to organizations that fall below the revenue or processing volume thresholds, the UCPA exempts a number of other entities, including:

Data exemptions

The UCPA does not apply to information that’s already subject to the following regulations:

Employment exemptions

Data processed or maintained during the course of an individual’s employment is exempt from the UCPA. 

This covers instances when an individual is applying for a job, as well as when they are “acting as an employee, agent, or independent contractor of a controller, processor, or third party,” provided that the data is “collected and used within the context of that role” (Section 102.2(o)(i) UCPA). 

Consumer rights under the Utah Consumer Privacy Act

Consumers have four primary rights under the UCPA: access, deletion, portability, and opting out.

Key differences with other privacy laws

While these rights are similar to those given to consumers under other data privacy laws, both within the US and globally, UCPA does not create other common rights, such as the right to appeal and the right to correct (to request and have omissions or inaccuracies rectified).

In addition to these exclusions, the UCPA does not provide for a private right of action (the ability for an individual consumer to sue a controller for noncompliance or a data breach). To date California is the only state that allows for this. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.

What’s more, controllers under the Utah privacy law aren’t required to recognize “universal opt-out signals” as a method for consumers to opt out of data processing. This excludes global privacy control (GPC) measures, where users can set their consent choices once and have them respected across all other sites and properties on which they are active, instead of having to specify their choice at every online property they visit. 

What are controllers obliged to do under the Utah Consumer Privacy Act?

Under the UCPA, data controllers must outline exactly how consumers can submit a request and exercise their rights related to their data. They must also respond to any requests within 45 days. 

Transparency under the UCPA

Controllers must provide consumers with a privacy notice or policy that is “reasonably accessible and clear.” This notice would typically appear on a business’s website and must include:

A consent management platform (CMP) can make this easier for you. With the right tool, you can stay compliant by generating an accurate, comprehensive, and up to date privacy policy and notify consumers about any data collection that’s taking place. 

Consumer requests under the UCPA

 Consumer requests must be fulfilled free of charge to the consumer, unless the request is:

Controllers must take action and notify the consumer of their actions within 45 days of receiving a request. If the controller cannot or will not respond to or fulfill the consumer’s request, e.g. if the consumer’s identity cannot be reasonably verified, they must communicate this during that same 45-day period.

However, there are exceptions. The response period can be extended by another 45 days if reasonably necessary, for example, if the request is very complex or the controller is dealing with a high number of requests. 

Where there is an extension, the consumer must be informed within the initial 45 days. The notification must include reasons for and the length of the delay.

Unlike some other laws, the UCPA does not have an appeal process for consumers whose requests are denied.

Data security under the UCPA

Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that have been “designed to protect the confidentiality and integrity of personal data.” (Section 302.2(a) UCPA) 

This applies both to the controller and any third party services they use.

Third-party data processing under the UCPA

Controller organizations may use third parties to process data on their behalf, so long as there is a contract in place. 

The contract must include data processing instructions, as well as some of the same information that must be outlined in the consumer notification, including:

Under the UCPA, controllers don’t have to evaluate the risks of their data processing activities via data protection assessments. What’s more, a contract between a controller and processor does not need to stipulate that the processor must comply with any reasonable data privacy audits set in motion by the data controller.

Processing of children’s personal data under the UCPA

The processing of children’s data is the only activity under the UCPA that requires explicit consent. Under the Act, a child is defined as an individual known to be under the age of 13. 

Controllers must obtain verifiable parental or guardian’s consent prior to processing and process the data in accordance with the Children’s Online Privacy Protection Act (COPPA).

Nondiscrimination under the UCPA

Controllers may not discriminate against any consumer who exercises their privacy rights. Examples of potential discrimination include:

However, a controller is allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” (Section 302.4(b) UCPA) if that customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller’s loyalty program.

Enforcement of the Utah Consumer Privacy Act

Enforcement authority

The Utah attorney general has full enforcement authority of UCPA. However, the Division of Consumer Protection is responsible for administering consumer complaints and has the authority to investigate alleged violations.

Investigations and cure period

Where authorities find reasonable cause or evidence of a violation, it’s referred to the Attorney General. If the Attorney General pursues the investigation, their office must provide the data controller or data processor with a written notice about the violation.

The UCPA provides the offending party with a 30-day “cure” period. This is a grace period during which the controller is given the opportunity to rectify any violation and provide a statement to the Attorney General about what has been done to resolve the violation and ensure it won’t be repeated. Unlike many US data privacy laws, the UCPA’s cure period does not sunset.

Damages and fines

In cases where punitive action is required, for example, if the controller or processor fails to resolve, or repeats the violation after providing a written statement to the contrary, the Attorney General can initiate an enforcement action. This includes damages and fines up to USD 7,500 per violation.

The UCPA uses an opt-out model to regulate data collection and processing in the state of Utah. As a data controller in Utah, you’re not required to obtain data subjects’ consent before collecting personal data, unless that data belongs to a child.

However, you are required to give consumers a clear notification that their data is being collected, inform them about their rights, and provide them with the means to opt out, either before or at the point of collection and processing.

To achieve and maintain compliance, use a CMP. A robust CMP can automate the process of notifying customers about data processing, tailoring consent messages, and managing their opt-out choices. This makes it easier to achieve and maintain compliance with the UCPA and other US privacy laws like the CCPA/CPRA and VCDPA.

A robust CMP helps your business obtain consent in a transparent manner, enabling you to collect valuable data while building trust with your customers.

Navigating UCPA compliance

While the requirements for UCPA compliance are less demanding than similar laws’, the potential fines and damage to brand reputation that can result from noncompliance mean that businesses must still be diligent.

Usercentrics can help you adhere to regulatory requirements of laws like the UCPA with its all-in-one CMP that enables you to produce content for privacy notices in just a few clicks. What’s more, our platform simplifies consumer consent management and helps you personalize the consent experience for your users.

If you have questions or interest in implementing our CMP to help you achieve compliance with privacy laws in the US and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Minnesota became the nineteenth state in the United States to pass a consumer privacy bill with the Minnesota Consumer Data Privacy Act (MCDPA) when Governor Tim Walz signed it into law on May 24, 2024. The law goes into effect on July 31, 2025, with the compliance deadline extended to July 31, 2029 for postsecondary institutions regulated by the Minnesota Office of Higher Education.

We look at how the MCDPA protects consumers’ information, and the broader implications for organizations under its jurisdiction.

What is the Minnesota Consumer Data Privacy Act (MCDPA)?

The Minnesota Consumer Data Privacy Act (MCDPA) is a regulation designed to protect the privacy and personal data of Minnesota’s residents by regulating how data is collected, processed, and used. The state-level law imposes specific obligations on businesses that either operate in Minnesota or offer products and services to its residents, known as “consumers” under the law, and process their personal data.

Under the MCDPA, a consumer is “a natural person who is a Minnesota resident acting only in an individual or household context.” The law explicitly excludes any natural person acting in a commercial or employment context.

Like most other US states with similar laws, Minnesota follows an opt-out consent model. Businesses must clearly inform consumers about:

Who must comply with the Minnesota Consumer Data Privacy Act?

The Minnesota privacy law applies to businesses that operate in the state and produce products or services targeted at Minnesota residents, and during a calendar year:

The MCDPA applies to any business that fulfills these conditions, regardless of where the business is located.

Minnesota data privacy law sets itself apart from some other state laws such as the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), as it does not require businesses to comply based on annual revenue alone.

Exemptions to Minnesota Consumer Data Privacy Act compliance

The Minnesota data privacy law exempts certain entities from complying, including:

Data that is exempt from the law includes:

Definitions under the Minnesota Consumer Data Privacy Act

The Minnesota privacy law defines key terms that explain the types of data it covers and the data processing activities involved.

Personal data under the MCDPA

The Minnesota privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.

Common types of personal data that businesses collect include name, phone number, email address, Social Security number, or driver’s license number.

Sensitive data under the MCDPA

Sensitive data is personal data that could harm consumers if abused. Under the MCDPA, it includes:

Controller under the MCDPA

Controller under Minnesota’s privacy law is “a natural or legal person who, alone or jointly with others, determines the purpose and means of processing personal data.“

A controller, also known as a “data controller” under some laws, is responsible for protecting personal data under the law.

Processor under the MCDPA

A processor under the law is “a natural or legal person who processes personal data on behalf of a controller.”

Sale of personal data under the MCDPA

Sale of personal data means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.“

The MCDPA’s definition specifically excludes the following:

Targeted advertising under the MCDPA

The MCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”

Targeted advertising under the MCDPA does not include:

Consent under the MCDPA

The Minnesota privacy law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer.”

Excluded from the definition are:

Consumer rights under the Minnesota Consumer Data Protection Act

Consumers have several rights under the MCDPA that enable them to protect their personal data and control how it’s used, in particular:

Consumers have the following additional rights if their data is used for profiling that affects legal decisions about them:

There is no private right of action that gives consumers the right to directly sue a controller for violations of the Minnesota privacy law.

Controllers’ obligations under the Minnesota Consumer Data Privacy Act

Under the Minnesota data privacy law, controllers are required to meet specific obligations to protect consumers’ personal data.

Consumer rights requests under the MCDPA

Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. While consumers can be asked to log in to an existing account for identity verification, requiring them to create a new account is not permitted under the law.

Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If an extension is required, the controller must inform the consumer before the initial 45-day period expires.

If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision.

Controllers must respond to appeals within 45 days, and they may extend this period by an additional 60 days if reasonably necessary. If an appeal is denied, the controller must provide a written explanation with reasons for denial and inform the consumer how to submit a complaint to the Attorney General.

Controllers are required to maintain records of all appeals and their responses for a minimum of 24 months, and they must provide the Attorney General with copies of the records if requested.

Privacy notices under the MCDPA

Under the Minnesota data privacy law, controllers must publish a clear, accessible, and comprehensive privacy notice that includes the following information:

Controllers that sell consumers’ personal data to third parties, or process personal data for targeted advertising purposes or profiling, must disclose this in the privacy notice. They must also provide consumers with a prominent method to opt out of the sale, processing, or profiling for these purposes. A link provided for these purposes must use the words “Your Opt-Out Rights” or “Your Privacy Rights”.

Typically, the privacy notice or privacy policy is posted in a highly visible location on the controller’s website, such as the footer, ensuring it’s easy to locate. The MCDPA mandates that controllers use the word “privacy” in the link to the privacy notice on a website, mobile app’s app store page, or download page.

The MCDPA also requires controllers who maintain apps — whether they’re mobile, tablet, web, or smart device apps — to include a link to the privacy notice in the settings menu of the app.

If a controller doesn’t maintain a website, they must make the privacy notice accessible to consumers through the regular means of communication with them, which may include postal mail.

Purpose limitation under the MCDPA

The law requires controllers to disclose the specific purposes for which they are collecting personal data and to restrict their data collection to what is “adequate, relevant, and reasonably necessary” for these identified purposes. Controllers cannot retain personal data if it is no longer needed for the original purposes of collection and processing, unless the law requires or permits it in certain circumstances.

Data security under the MCDPA

Controllers have an obligation to protect the confidentiality, integrity, and accessibility of consumers’ personal data. The Minnesota data privacy law requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical security measures for this purpose, which are appropriate to the volume and nature of the personal data being processed.

Notably, Minnesota is the first state to mandate that controllers maintain data inventories to fulfill these requirements.

Compliance policies and data privacy and protection assessments under the MCDPA

Controllers are required to document a description of the policies and procedures adopted to comply with the MCDPA, including:

The MCDPA also requires controllers to conduct and document a data privacy and protection assessment, known as a data protection impact assessment under some laws, when processing personal data:

Data privacy and protection assessments under the MCDPA must include the description of policies and procedures that the controller has adopted to comply with the law.

The Attorney General can request the controller to disclose a data privacy and protection assessment during its investigations into any alleged violations, and the controller is obligated to make it available.

The law considers data privacy and protection assessments or risk assessments conducted by a controller for compliance with other laws as valid if the assessments share a similar scope and effect.

Consent requirements under the MCDPA

Minnesota has adopted an opt-out model for processing personal data, consistent with the other US state-level privacy laws. This means that controllers can collect and process personal data without obtaining prior consent from consumers in most cases. However, an important exception exists for sensitive personal data, where controllers must obtain explicit consent before processing.

Controllers must clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling. Additionally, Minnesota law mandates that controllers provide an effective way for consumers to revoke previously given consent. This revocation mechanism must be as easy to use as the method used to give consent initially. Once consent is revoked, controllers are required to stop processing the relevant data as soon as practicable, and no later than 15 days after receiving the revocation request.

The MCDPA aligns with the Children’s Online Privacy Protection Act (COPPA) concerning children’s personal data, which is standard among US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as all personal data of children in this age group is classified as sensitive data under Minnesota law.

Controllers are prohibited from processing the personal data of consumers known to be between the ages of 13 and 16 for the purposes of targeted advertising or selling their data without obtaining prior consent from the individual.

Nondiscrimination under the MCDPA

The MCDPA explicitly prohibits controllers from discriminating against consumers who exercise their rights under the law. This means businesses cannot deny goods or services, charge different prices or rates for goods or services, or offer varying quality levels or experiences (e.g. website access) to consumers based on their choices to exercise their data privacy rights.

However, controllers may offer incentives, such as discounts or rewards, to consumers who voluntarily participate in activities involving the processing of personal data. These incentives must be reasonable and proportionate to avoid being considered coercive rather than optional and voluntary.
Certain website functions that rely on essential or necessary cookies may not operate effectively if a consumer declines these cookies. Such limitations are not regarded as discriminatory under the law.

Controllers are not obligated to provide a product or service that depends on personal data they do not collect or keep.

The MCDPA specifically prohibits controllers from processing personal data on the basis of certain characteristics, including, among others, race, ethnicity, religion, gender identity, familial status, or disability in a manner that unlawfully discriminates against consumers with respect to the provision of:

Data processing agreement under the MCDPA

The Minnesota privacy law requires controllers to enter into contracts with processors that govern data processing procedures. While the law does not explicitly use the term “data processing agreement,” this contract serves the same purpose as data processing agreements in other data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) and the Virginia Consumer Data Protection Act (VCDPA).

The contract or data processing agreement must clearly outline:

Processors must assist controllers in meeting their obligations under the MCDPA, including ensuring security of personal data being processed.

Universal opt-out mechanism under the MCDPA

Similar to data privacy laws in states like California, Nebraska, and Texas, the MCDPA includes provisions for universal opt-out mechanisms, such as the Global Privacy Control (GPC). These mechanisms enable consumers to set their privacy preferences once via browser settings or extensions, and these preferences are then automatically applied to all websites and online services they visit.

Under the MCDPA, controllers must respect universal opt-out signals that express a consumer’s choice to opt out of activities such as targeted advertising or the sale of personal data. Controllers that recognize opt-out preference signals approved by other state laws or regulations will be deemed compliant with this requirement under the MCDPA.

The law requires that the mechanism a controller employs must:

Enforcement of the Minnesota Consumer Data Privacy Act

The Minnesota Attorney General has exclusive authority to enforce the MCDPA. While the law does not grant consumers a private right of action, they can still file complaints about alleged violations or denials of their privacy rights directly with the Attorney General’s office. Before initiating an enforcement action, the Attorney General must issue a written notice to the implicated party, detailing the alleged violations.

The MCDPA includes a 30-day cure period for organizations to address and rectify any alleged violations after receiving the notification. This cure period has a sunset date of January 31, 2026, after which this provision will no longer apply, and any cure period will be at the discretion of the Attorney General’s office.

Fines and penalties under the MCDPA

The Minnesota Attorney General can initiate enforcement actions against controllers or processors if they fail to remedy a violation within the 30-day cure period. An enforcement action might include seeking injunctive relief and/or imposing civil penalties, which can reach up to USD 7,500 per violation, along with recovering reasonable costs related to investigating the violation.

Like consumer privacy laws in other US states, the Minnesota privacy law adopts an opt-out consent model. This means businesses can collect and process personal data without obtaining prior consent, except for sensitive personal data and data belonging to children.

Consumers have the right to opt out of the collection and processing of their personal data for purposes such as sale, targeted advertising, or profiling. Businesses are required to clearly present this opt-out option on their websites, typically within the privacy policy or privacy notice.

Many websites use cookie consent banners that include clear links or buttons that enable users to opt out of data processing. A consent management platform (CMP) like Usercentrics CMP can automate this process by managing cookies and other tracking technologies and blocking their use until the consumer gives consent, or by enabling opt-out, depending on the relevant legal model.

CMPs also enable websites to offer clear information to users regarding the types of data collected, the purposes for collection, and the third parties that might receive this data, in line with the MCDPA and other data privacy regulations.

Since there is currently no unified federal privacy law in the US, businesses that operate around the country and/or internationally likely need to comply with multiple state and international privacy regulations. CMPs can assist in this by customizing cookie banners based on the user’s location, helping businesses meet the requirements of state-level laws like the MCDPA as well as international regulations such as the GDPR.

Preparing for the Minnesota Consumer Data Privacy Act

Businesses operating in Minnesota have until the effective date of July 31, 2025, to prepare for compliance with the MCDPA. Those that are already compliant with privacy regulations in other states may find themselves ahead, as there are several overlapping requirements. However, businesses must also prepare for specific MCDPA provisions, such as the obligation to maintain data inventories and to document data privacy policies and processes. Integrating a privacy by design approach not only benefits compliance efforts but also enhances overall organizational operations.

Companies must assess whether they meet the MCDPA compliance thresholds, and, if applicable, take steps to provide users with clear opt-out options and accessible privacy notices. Using a Consent Management Platform (CMP) like Usercentrics CMP can assist in managing cookies on websites and apps.

As the MCDPA adapts to technological advancements and shifts in consumer expectations, it is crucial for businesses to consult with qualified legal professionals or data privacy experts, such as a Data Protection Officer, to maintain compliance.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

The California Consumer Privacy Act (CCPA) set US standards for consumer privacy and data protection. It requires businesses that operate in digital markets to establish compliant data collection practices, communicate these to their customers, and implement measures to protect this data.

Meeting CCPA requirements can entail a large investment of time and resources, but failing to adhere to its provisions can be even more costly. The fines, legal fees, and loss of customer trust that stem from noncompliance are significant risks to your business’s bottom line.

Compliance tools are invaluable in helping you adhere to CCPA requirements. They simplify privacy compliance by streamlining consent collection, management, and signaling according to regulatory requirements, so that you can remain focused on your core business operations.

Our picks of the top CCPA compliance software:

  1. Usercentrics
  2. TrustArc
  3. OneTrust
  4. Osano
  5. iubenda
  6. Ketch

Essential features for CCPA compliance solutions

Complying with the CCPA helps your business to protect consumer rights and build customer trust while also safeguarding it against various noncompliance risks, including CCPA class action lawsuits.

Using a robust CCPA compliance tool can help you to meet the requirements of this regulation and the California Privacy Rights Act (CPRA), which expanded and amended it. When choosing your platform, it’s important to evaluate the following features.

CCPA tool Key features Usability score Recommended for
Usercentrics
  • Data Processing Service (DPS) Scanner
  • 2,200+ ready to use and customizable legal templates
  • Robust and in-depth analytics
  • Google-certified
  • Cross-domain and cross-device consent
4.0/5 (Capterra) Businesses of all sizes
TrustArc
  • Multiple APIs
  • Centralized Trust Center for displaying data privacy information
  • Cookie Consent Manager
  • Individual Rights Manager
4.1/5 (SoftwareReviews) Small to medium-sized businesses
OneTrust
  • Data intelligence
  • Workflow automation
  • Data mapping
  • Reporting and logs
3.8/5 (Capterra) Large corporations
Osano
  • “No Fines, No Penalties” Pledge
  • Automated data request workflows
  • Regulatory alerts
  • Blockchain storage
4.6/5 (G2) Freelancers
iubenda
  • Privacy policy generator
  • Automatic policy updates
  • White label customization with CSS
  • Consent tracking
4.5/5 (Capterra) Small businesses
Ketch
  • Enterprise Data Fortification
  • Native identity resolution
  • Ketch Smart Tag
  • Application Marketplace
4.5/5 (G2) Agencies

 

6 great tools for CCPA compliance

Maintaining compliance with the CCPA doesn’t have to be a daunting task. Here are six tools designed to help you adhere to stringent data privacy laws efficiently so you can focus on what you do best — run your business.

1. Usercentrics

Usercentrics is an all-in-one CMP that enables compliance with the CCPA, GDPR, and other major data privacy laws. It features more than 2,200 legal templates to save time and resources during implementation and maintenance.

This powerful solution integrates easily with popular content management systems (CMSs) and web builder platforms. It enables privacy compliance right out of the box, and you can also customize it extensively, from visual branding to regulatory coverage and more.

However, note that the extensive feature set can make it somewhat challenging for new users to master initially.

Top features

Pricing plans

Usercentrics offers a 30-day free trial, after which users can sign up for one of the following paid plans.

 Pros  Cons
Full UI customizationAnalytics data only available for 90 days
Automated third-party cookie blocking
Flexible pricing and packages

Recent Reviews

2. TrustArc

TrustArc provides businesses with automated privacy solutions to help them achieve compliance while increasing user trust. Once it’s up and running, the platform is easy to implement at scale, but you may have to invest significant time to overcome a learning curve to unlock its full potential.

Top features

Pricing plans

Contact TrustArc for pricing.

 Pros  Cons
Google-certified CMP providerPoor customer support, according to some users
Easy to use (G2 user reviews)
Drag-and-drop customization

3. OneTrust

With an extensive set of privacy management tools, OneTrust enables businesses to safely handle customer data while minimizing security, privacy, governance, and compliance risks. The tool’s automation features can reduce the complexity involved in staying compliant, but you may experience implementation challenges, according to some users.

Top features

Pricing plans

Contact OneTrust for pricing.

 Pros  Cons
Vendor risk managementPricing information not publicly available
Automated compliance assessments
Incident and breach management

4. Osano

Osano logo

Osano enables more than 40,000 users to meet the requirements of data privacy laws. Although it offers an all-in-one solution that centralizes CCPA compliance management, some users note that customization options are limited.

Top features

Pricing plans

Osano has two self-service cookie consent packages:

Contact Osano for pricing for the Privacy & Trust Assurance, Privacy Essentials, and Privacy Operations & Government plans.

 Pros  Cons
Secure blockchain storageFree plan only supports 5,000 monthly visitors
Geolocation capabilities
Easy setup (G2 user reviews)

5. iubenda

iubenda’s CMP offers what they refer to as attorney-level consent management tools that help businesses take the guesswork out of compliance. However, geolocation-based consent settings, which are important for tailoring consent banners to user location, aren’t available on all plans.

Top features

Pricing plans

iubenda provides a free plan for websites with fewer than 5,000 page views per month. They also offer a free 14-day money-back guarantee on their three paid packages. Pricing is as follows:

 Pros  Cons
Automatic updates to maintain complianceOnly one language included with the Essentials plan
Chat and email support
Centralized dashboard for managing multiple websites

6. Ketch

Ketch is a design-first CMP that places emphasis on the look and feel of data privacy notices, as well as compliance requirements. This US provider’s no-code solutions are aimed at teams that don’t have much technical expertise, but some users note that the platform has a learning curve and its interface is sometimes confusing.

Top features

Pricing plans

Ketch offers three plans at three different price points:

 Pros  Cons
No-code solutionFree plan only supports 5,000 monthly visitors
Easy to use (G2 user reviews)
Over 1,000 pre-built integrations

Managing customers’ personal information, collecting user data, and implementing and maintaining data security in line with the CCPA is a complex and demanding task. A CMP reduces the burden of compliance by automating and streamlining the processes involved in data collection and helping to ensure that they adhere to regulatory standards.

With a CMP, businesses can efficiently establish whether they’re compliant with the CCPA and identify specific actions for achieving compliance. This significantly reduces the hassle and risk associated with adhering to this complex regulation.

Usercentrics for CCPA peace of mind

Complying with the CCPA requires a thorough understanding of the law’s detailed provisions around data collection, storage, and processing. What’s more, growing demands from consumers for the respect for and protection of their data mean that compliance is no longer just a legal requirement but a necessity for business success and longevity.

The recent introduction of the CPRA has further elevated these challenges, building on the CCPA’s requirements. As these laws continue to evolve, businesses need to remain agile and in the know in order to adapt to new guidelines and avoid costly financial and reputational damage.

Usercentrics’ CMP is designed to enable businesses to collect and manage user data in a transparent manner in order to meet the requirements of the CCPA and CPRA. Our Google-certified tool features an extensive library of more than 2,200 legal templates, a best-in-class DPS Scanner, and robust analytics for informed decision-making.

By integrating Usercentrics CMP into your tech stack, privacy compliance can be as seamless as it is robust, and you can align with current regulations, prepare for future changes, and protect your operations and your reputation.

The information presented in this article is accurate based on publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Organizations collect vast amounts of data from their users, which ranges from personal information to website usage patterns to financial details. This data collection helps improve services, tailor experiences, and drive business growth. However, it can also bring significant risks related to data breaches and unauthorized access to or misuse of personal data.

A Data Protection Impact Assessment (DPIA) helps organizations identify these risks, implement necessary safeguards, and maintain regulatory compliance, specifically with the European Union’s (EU) General Data Protection Regulation (GDPR).

What is a Data Protection Impact Assessment (DPIA) and why is it essential for GDPR compliance?

A Data Protection Impact Assessment (DPIA) is a risk assessment process that helps organizations identify and reduce the risks to personal data they process. It involves examining how personal data is collected, handled, and stored, and ensuring there are adequate measures in place to protect individuals’ privacy and rights as they pertain to that data. Requirements for a DPIA are included in Art. 35 GDPR.

Conducting an effective DPIA enables organizations to detect and address potential problems at an early stage, helping prevent data breaches, avoid legal complications, and protect the organization’s reputation.

Who should implement a DPIA?

The GDPR can require the data controller to carry out a DPIA. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

While the data controller may appoint third-party data processors to carry out processing activities on its behalf, the responsibility for the DPIA remains with the data controller who is ultimately responsible for GDPR compliance and data security. The data processor should assist the controller in carrying out the DPIA by providing any necessary information, as required by Article 28(3)(f) GDPR.

If a Data Protection Officer (DPO) is appointed under the regulation, the controller must consult with the DPO when carrying out a DPIA. The advice given by the DPO and the decisions made by the controller should be documented within the DPIA.

The DPIA may be carried out by someone outside the organization, but the data controller remains accountable for ensuring that it is completed appropriately.

When is a DPIA required?

A DPIA is required whenever a processing activity, in particular using new technologies, triggers one of the obligations to conduct it under the law. Art. 35 requires a DPIA where data processing activities are “likely to result in a high risk to the rights and freedoms of natural persons.” According to the guidelines issued by the Article 29 Working Party (WP29), the predecessor of the European Data Protection Board (EDPB), these rights and freedoms include the rights to data protection and privacy, and may also include:

The GDPR specifically requires controllers to carry out a DPIA when:

A DPIA may be required in other cases, and the controller must evaluate whether processing activities may result in a high risk to the rights and freedoms of individuals. Some examples from the WP29 and Recital 75 GDPR include cases where the processing:

A DPIA can address either a single processing operation or multiple operations that share similar characteristics in terms of their nature, scope, context, purpose, and risks.

Exclusions from the DPIA requirements

There are two circumstances when a DPIA is specifically not required under the GDPR:

  1. when the processing operations fall under a list established by a supervisory authority or Data Protection Authority of an EU member state as not requiring a DPIA
  2. when the processing has a legal basis in EU law or in the law of the member state that applies to the controller, and that law specifically regulates the processing activity

At what stage should a DPIA be carried out?

A DPIA should be carried out before any type of processing begins that is likely to result in a high risk, ideally during the early planning stages of the project, new feature, or new use case. This early assessment helps identify and manage potential risks even if some processing details are still being finalized.

DPIAs are an ongoing activity, and the controller’s obligation doesn’t end once the initial DPIA has been carried out. If data processing has commenced for specific purposes, but the conditions of processing — such as purpose or type of personal data collected — change significantly and are likely to result in a high risk to individuals’ rights and freedoms, the controller must revisit the DPIA before these new processing conditions are implemented. If a DPIA was not initially required before data processing began but changes in processing conditions make it necessary, then it must be conducted when those new conditions arise.

What are the DPIA requirements under the GDPR?

There are certain minimum regulatory requirements for what a DPIA must include. The key components of a DPIA are:

DPIA Infographic

DPIAs under US law

There is no comprehensive federal data privacy law in the US, and a number of states have enacted laws to protect the personal data — often referred to as “personal information” in some laws — of their residents.

Many of these US state-level data privacy laws require controllers to conduct DPIAs. While there may be some variations among state laws, they are usually required in the following cases:

What constitutes “sensitive data” or “sensitive personal information” may differ across various laws, so controllers must ensure they follow the specific requirements of each applicable law.

States that require these assessments include Colorado, Texas, Maryland, Connecticut, Virginia, Nebraska, Oregon, and Tennessee, among others. California requires a DPIA under the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA).

DPIA procedure

The GDPR doesn’t specify a procedure for conducting a DPIA, giving controllers the flexibility to approach it in a way that effectively assesses risks and informs data processing decisions. The basic steps to conduct a DPIA are as follows.

1. Identify if a DPIA is required

The first step is to determine whether a DPIA is necessary before data processing activities begin. It may not be immediately clear if a DPIA is necessary, and controllers might realize it partway through the project. In such a case, controllers must ensure the DPIA is completed before they begin any processing activities or begin collecting data.

2. Consult the DPO, if appointed

Art. 35(2) of the GDPR makes it mandatory to consult the DPO if the organization has appointed one. The DPO’s advice must be documented in the DPIA and, if the advice is overruled, the DPIA must explain why.

3. Identify all parties to be consulted

Controllers must list all internal and external stakeholders to be consulted. This includes data processors and data subjects or their representatives. The DPIA must include their feedback on the processing activities and, if feedback is disregarded, why.

4. Document the nature, scope, context, and purposes of the data processing

Controllers should list all the data processing activities, including why and how the data is being processed. This should cover, among other things:

5. Assess the necessity and proportionality

The GDPR requires controllers to evaluate whether the data processing is necessary and proportional to achieve the intended purposes, including determining the lawful basis for processing. Controllers should consider what information will be shared with data subjects in their privacy policy, how to achieve data minimization and data quality, and how international transfers will be handled.

6. Identify and assess potential risks

Controllers are required to identify and evaluate the potential risks to data subjects’ rights and freedoms, and outline measures to mitigate these risks. They must assess the likelihood and severity of each risk, considering factors like the nature of the data, the context of processing, and the potential impact on individuals. Controllers should develop a risk mitigation plan that includes specific measures such as encryption, anonymization, access controls, and regular security audits.

7. Validate and sign the DPIA

Controllers must validate and sign the DPIA once it is completed. This involves recording who approved the protection measures and any residual risks. Documenting the decision-making process and identifying those responsible for its implementation and authorization provides a clear record of the approval process.

There is no official template from the EDPB, and controllers that need structure or guidance to get started may use templates from Data Protection Authorities such as France’s National Commission on Informatics and Liberty (CNIL) or the UK’s Information Commissioner’s Office. Although the EU GDPR doesn’t apply to the UK post-Brexit, the UK GDPR is nearly identical to the EU version and includes the same provisions for DPIA requirements.

Conclusion and next steps

Conducting a DPIA is a vital practice for safeguarding personal data, maintaining data subjects’ trust, and avoiding reputational damage. By conducting a DPIA, organizations can identify and mitigate potential risks, ensuring that data processing activities are both secure and compliant.

Organizations should consult a qualified legal professional, privacy expert, or DPO to ensure compliance with the GDPR’s DPIA requirements and to implement the necessary safeguards effectively.

The Digital Markets Act (DMA) became enforceable in March 2024, targeting seven large digital platforms — designated as “gatekeepers” — that operate in the EU, European Economic Area (EEA), and UK. These companies wield significant economic power due to their widely used services, extensive customer bases, and dominant market positions.

Under the DMA guidelines, only gatekeepers are explicitly required to comply with the Act’s stringent rules. However, due to the nature of these products, they also pass some of the privacy requirements on to third-party companies using their services to help ensure privacy compliance in their full tech and business ecosystems.

As a result, businesses operating in the EU, EEA, and UK that collect personal data and use gatekeepers’ platforms, must align their practices with DMA requirements or risk losing access to gatekeepers’ services.

We take a look at the practical effects of the DMA on third-party companies and provide step by step instructions for implementing digital tools with your tech stack that will enable you to comply with data privacy requirements in the DMA, continue growing your digital marketing efforts, and maintain trust with your users.

The European Digital Markets Act (DMA) requirements: the basics

The DMA was passed in November 2022, coming into force in May 2023, though there was a grace period before enforcement began in early 2024.

Its mandate includes enabling healthy competition in digital markets for smaller, non-gatekeeper companies; greater transparency and choice for consumers; more stringent data privacy requirements; and more open digital markets.

“Third-party companies are required to follow the guidelines of the gatekeepers, which are about providing a fair competitive market environment and prevention of market abuse. Therefore the gatekeepers adjusted their platform services on aspects like fair access, transparency, data portability and therefore non-exclusivity and so on. The users of the platform services have to comply,” explains Tilman Harmeling, Senior Expert, Privacy at Usercentrics.

The Act’s requirements are similar in many respects to those of the EU’s General Data Protection Regulation (GDPR), but are broader in some ways, addressing additional access to and uses of end users’ personal data.

Designated gatekeepers had until March 6, 2024 to comply with the DMA’s requirements. Those that haven’t met the regulation’s requirements can be fined up to 10 percent of their annual global turnover, or up to 20 percent for repeated infringements. Booking.com was not designated as a gatekeeper until May 2024, so has until November 2024 to comply with the DMA.

The European Commission (EC) can also require violating gatekeepers to sell parts or all of a business, or ban them from acquisitions that would be related to violating activities.

European authorities have already shown that they’re serious about ensuring gatekeepers’ compliance with the DMA. In a recent investigation into Apple’s steering practices related to its App Store (deemed a “core platform service”), the EC has warned Apple that it will have to pay a fine — which might be in the range of EUR 35.4 billion, or 10% of its total global turnover — if it does not allow users and app developers to make use of application marketplaces other than its native store by March 2025.

Facebook parent company Meta has also already been charged with violating the DMA, which could result in penalties in the tens of billions of dollars.

To maintain access to gatekeepers’ platforms, companies that do business in the EU, EEA, and UK that involve processing consumers’ personal data will also need to follow DMA guidelines set by the gatekeepers in line with the Act.

For these companies, failure to meet the requirements that the gatekeepers set would potentially mean loss of access to key features of gatekeepers’ platforms and services, like personalization functionality for advertising. This could result in a significant loss of data, audience, and revenue.

The DMA was passed along with the Digital Services Act (DSA) in the Digital Services Act package. Learn about the key differences between the Digital Markets Act and the Digital Services Act: DMA vs DSA.

What companies does the Digital Markets Act designate as gatekeepers?

Gatekeeper organizations are characterized as such because of their size, the size of their audiences and customer bases, as well as the global influence of the platforms and services they own. The EC has designated seven of these organizations:

What are the gatekeepers’ core platform services?

The gatekeepers provide 23 identified core platform services (CPS). Each is required to comply with the DMA requirements due to their enormous reach and audience size, as well as the amount of data generated.

Third-party companies that use these CPS also need to comply with the providers’ DMA guidelines or risk losing access to gatekeepers’ platforms and services, as well as the data, audience access, and revenue they generate.

Digital Markets Act (DMA) requirements for third-party companies using gatekeepers’ core platform services

The DMA requirements have a trickle-down effect on the many companies that use the gatekeepers’ core platform services, if they collect and process user data for their own operations and that data is used on gatekeeper services, or access data collected by the gatekeepers.

These companies must fulfill certain conditions set by gatekeepers in line with the Act. As the GDPR already requires organizations that collect and use personal data to obtain prior consent (opt in) from users of these platforms and services in the EU, EEA and UK, meeting these DMA conditions can be relatively straightforward.

“Art. 5 (2) DMA: Gatekeepers must ensure that valid consent is obtained when users/companies of gatekeepers’ core platform share end users’ data. As a result, the responsibility for valid consent has been partially transferred to the gatekeepers, if their services are used,” explains Tilman.

In practice, third-party organizations need to obtain and store valid user consent, and signal it to gatekeepers’ services to control what personal data they collect. The most streamlined way to do this is using a consent management platform with tools like Google Consent Mode integrated.

The DMA guidelines for user privacy and consent are similar to the requirements under the GDPR and ePrivacy Directive (ePD). Consent must be freely given, specific, informed, unambiguous, and obtained before, or at the point when, any personal data is collected.

Users must also be able to change their consent preferences or withdraw consent at any time, and gatekeepers must be able to prove consent from direct and third-party users in the event of an audit by data protection authorities.

Consent management to enable Digital Markets Act (DMA) compliance

The Digital Markets Act requires the gatekeepers, and by extension those companies using the CPS, to obtain prior user consent if they:

and/or

Companies using Google services must also support the most up to date version of Google Consent Mode.

A consent management platform (CMP) like Usercentrics CMP enables companies to notify users about DMA cookies use, provide consent options, store this information securely, and signal these actions to third parties, like the gatekeepers.

What are third-party companies’ rights under the Digital Markets Act?

In addition to the DMA requirements regarding the rights and protections for end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their CPS.

“The DMA provides third-party companies with several rights, including fair access to platforms, interoperability, data portability, transparency, equal treatment, access to data, non-exclusive contracts, and the ability to contest gatekeeper decisions.

“These rights aim to create a more competitive and fair digital marketplace by preventing gatekeepers from abusing dominant positions and ensuring that third-party companies can compete on equal terms. These rights can be found in Chapter 3 of the DMA,” says Tilman.

Learn more: See the European Commission’s published list of “do’s and don’ts” for gatekeepers

The DMA guide for valid consent largely aligns with the GDPR and many other data privacy laws. Practically, consent needs to be given freely in advance and must be explicit, informed, and granular, while also being documented and easy to withdraw.

Freely given infographic

How to make your website compliant with the Digital Markets Act (DMA) requirements

Because full privacy compliance in digital ecosystems where the gatekeepers’ platforms are dominant is pretty much the requirement, third-party companies that rely on gatekeepers’ platforms and services to do business in the EU/EEA and UK pretty much also have to comply with the DMA.

Fortunately, due to their existing adherence to the GDPR’s provisions, many companies that attract users from within the EU, EEA and UK already meet the DMA’s guidelines. However, many organizations with users in these regions still don’t comply with GDPR and therefore won’t comply with the DMA.

Companies that want to ensure their digital practices are in line with both of these digital privacy laws, and that are concerned with protecting revenues, can do so by following a few simple steps.

Step 1: Implement a Consent Management Platform (CMP)

UC Signup

One of the key DMA requirements is obtaining and managing user consent for data processing activities.

Here, it makes things much easier to have a CMP to help you collect, store, and signal user consent in a way that meets the Act’s trickle-down requirements.

Learn more about how the DMA law affects user privacy and consent management.

A high performance CMP will enable you to obtain informed consent from your users by notifying them about what data is being collected, for what purposes, as well as how it will be stored and whether third parties — like the gatekeepers — will have access to it.

You want to be able to quickly and easily implement and customize your CMP for your websites, apps, and other platforms.

In addition to customizing the data processing services in use on your sites and apps, as well as the regulations covered that are relevant to your company’s operations, you want to ensure the look and feel of your data privacy notices are aligned with your company branding, hence the importance of robust customization features.

Usercentrics is a market-leading web consent management platform (CMP) offering seamless integration with the most popular web content management systems (CMS) and other website builder platforms. It’s designed for technical and non-technical teams, so setup and customization are user-friendly and save you time and resources.

Usercentrics CMP enables stringent regulatory compliance with the DMA and other data privacy regulations to help ensure that you are able to maintain access to gatekeepers’ platforms and services without disruption.

To integrate Usercentrics into your website, follow these steps:

  1. Sign up for a Usercentrics account and enjoy a 14-day free trial.
  2. Generate the CMP script and privacy policy text tailored to your website.
  3. Paste the Usercentrics CMP script into the source code of your website. The designated area for this depends on the CMS you use.
  4. Save the changes and publish your website.

By integrating Usercentrics CMP, you can easily manage user consent preferences, provide transparent information about data processing activities, signal consent information to third-party services, and achieve and maintain compliance with the DMA and GDPR without the need for considerable tech or legal resources.

Step 2: Customize your consent banner

To enhance user experience and comply with DMA requirements, it’s important to customize the cookie consent banner on your website.

Usercentrics provides full customization options to optimize your user interface and messaging while matching the design and branding of your website. Follow these steps to customize the cookie consent banner.

  1. Access your Usercentrics account and navigate to the customization settings.
  2. Customize the banner appearance, including colors, fonts, logo, and layout.
  3. Add a clear and concise message explaining the purpose of DMA cookies and other data processing activities.
  4. Specify the different types of cookies used on your website and their respective purposes.
  5. Ensure Google Consent Mode is switched on to optimize your opt-in rates and gain Google ad conversion insights. On Usercentrics CMP, it’s switched on by default for new installations.
  6. Enable the necessary controls for users to manage their consent preferences easily.

By providing a user-friendly and informative cookie consent banner, you can demonstrate your commitment to user privacy and compliance with the DMA privacy law.

Step 3: Optimize user experience for consent management

Consent management should be a seamless and intuitive process for your website visitors. Here are some tips to optimize the user experience (UX) for consent management:

By prioritizing UX in consent management, you can foster trust with your users and encourage them to engage with your website while complying with the DMA, which also helps boost your consent rates over time

Step 4: Monitor and audit Digital Markets Act compliance

Compliance with the DMA’s requirements is an ongoing process that requires continuous monitoring and auditing. Here are some best practices to help ensure ongoing compliance.

By proactively monitoring and auditing your privacy compliance efforts, you can address any potential issues promptly and demonstrate your commitment to data protection.

Video Preview
Video Preview

We need your consent to load the YouTube Video service!

We use a third party service to embed video content that may collect data about your activity. Please review the details and accept the service to watch this video.

powered by Usercentrics Consent Management Platform

Read about cookie consent tips now

Compliance with the Digital Markets Act’s privacy requirements is essential for any company that makes use of services provided by the EC’s designated gatekeepers. Given the dominance and reach of these platforms, failure to do so can result in the significant loss of data, audience, and revenue.

Fortunately, complying with the DMA is made easier with a robust and scalable CMP. These platforms help third-party companies obtain the necessary consent from their users and signal it to companies like Google for advertising and other services.

This helps organizations to maintain access to gatekeeper services, grow revenue with successful and data-driven campaigns, and build trust with customers as a result of their data privacy practices.

We strongly recommend consulting with legal and data privacy experts for your privacy compliance operations. However, implementing Usercentrics CMP helps to greatly reduce the resource needs and complexities of meeting the DMA’s and gatekeepers’ requirements.

Our out of the box solution is Europe’s leading CMP. Our state of the art technology scans for and detects all cookies and other trackers in use on your website, enables collection, storage and signaling of valid user consent, and automates processes to enable ongoing compliance with the DMA and GDPR. All this helps to ensure that you can maintain access to gatekeepers’ platforms and services without disruption.

On April 4, 2024, Kentucky became the fifteenth state in the United States to enact a consumer privacy bill with the passing of House Bill 15, the Kentucky Consumer Data Protection Act (KCDPA). The law goes into effect on January 1, 2026 and gives organizations close to two years to prepare for compliance.

We look at the KCDPA, who it applies to, how it protects consumers, and how organizations can prepare for compliance.

What is the Kentucky Consumer Data Protection Act?

The Kentucky Consumer Data Protection Act (KCDPA) aims to protect the privacy and personal data of the state’s 4.5 million residents by regulating how it is collected and used. It sets obligations on businesses that operate in Kentucky or produce products or services consumed by its residents and process their personal data.

The KCDPA protects the personal data of residents acting in “an individual context” and not for commercial or employment purposes and defines them as “consumers”.

Like most other US states with consumer privacy laws, Kentucky follows an opt-out consent model. Businesses must clearly explain to consumers:

Definitions under the Kentucky Consumer Data Protection Act

The KCDPA defines key terms concerning the data it protects and data processing activities.

Personal data under the KCDPA

The Kentucky privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.

Common types of personal data that businesses collect include name, phone number, email address, account name, IP address, passport number, or driver’s license number.

Sensitive data under the KCDPA

Sensitive data under Kentucky’s privacy law is personal data that could harm consumers if abused and includes:

Consent under the KCDPA

The Kentucky data privacy law defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

Controller under the KCDPA

A controller under the law is “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.“

A controller, often referred to as a “data controller” in some regulations, is responsible for protecting personal data and must comply with the legal requirements for data protection.

Processor under the KCDPA

A controller may share personal data it collects with a third party for processing purposes. This third-party is known as a processor under the Kentucky privacy law and is defined as “a natural or legal entity that processes personal data on behalf of a controller.”

Sale of personal data under the KCDPA

The Kentucky privacy law defines sale of personal data as “the exchange of personal data for monetary consideration by the controller to a third party.“

Sale does not include disclosure of personal data:

Many other US state-level privacy laws define sale as the exchange of personal data “for monetary or other valuable consideration” by the controller or third party. The KCDPA, like the Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA), requires monetary consideration for the exchange of personal data to be considered sale.

Non-monetary consideration does not constitute sale under the Kentucky privacy law.

Targeted advertising under the KCDPA

The KCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict that consumer’s preferences or interests.”

The definition excludes:

Who must comply with the Kentucky Consumer Data Protection Act

The Kentucky privacy law applies to businesses that operate in the Commonwealth of Kentucky or produce products or services aimed at its residents and which, during a calendar year:

or

Unlike some other US state laws, including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the KCDPA does not require businesses to comply based on revenue alone.

Exemptions to compliance with the Kentucky Consumer Data Protection Act

The Kentucky data privacy law exempts certain entities and types of data from compliance. Entity-level exemptions include, among others:

Data-level exemptions include, among others:

Consumer rights under the Kentucky Consumer Data Protection Act

Consumers have several rights under the Kentucky privacy law to protect their personal data.

There is no private right of action — or right to directly sue a controller — under the KCDPA.

Controllers’ obligations under the Kentucky Consumer Data Protection Act

Organizations subject to KCDPA compliance have several obligations under the law to protect consumers’ personal data.

Privacy policy under the KCDPA

Controllers must publish a privacy notice, or, similarly, privacy policy, that informs consumers about:

Controllers must clearly inform consumers if they sell personal data to third parties or process it for targeted advertising purposes. Unlike the CCPA, Florida Digital Bill of Rights (FDBR), and Texas Data Privacy and Security Act (TDPSA), the Kentucky privacy law doesn’t require any specific wording to be used to disclose this information. Controllers must also advise consumers how they can opt out of sale or processing for targeted advertising.

The privacy notice must be accessible, clear, and meaningful. It is usually published through a link on the controller’s website, like in the footer, to ensure that consumers can access it from any page.

Consumer rights requests under the KCDPA

Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. Consumers may be asked to log in to an existing account for identity verification, but they can’t be required to create a new account solely for this purpose.

Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If they need an extension, the controller must inform the consumer before the initial 45-day period expires.

If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision. Controllers must respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer a method to contact the Attorney General online to submit a complaint.

Purpose limitation under the KCDPA

Controllers are required to disclose the purpose(s) for which they collect personal data, and the KCDPA requires them to limit the personal data they collect to only what is “adequate, relevant, and reasonably necessary” for the purposes.

Controllers cannot process personal data for any purposes other than those that are disclosed to consumers. If the purpose of data processing changes, they must inform consumers about the new purpose and obtain consent for processing their data, if applicable.

Data security under the KCDPA

Controllers must ensure the confidentiality, integrity, and accessibility of the personal data they collect and process. The Kentucky data privacy law requires them to establish, implement, and maintain reasonable administrative, technical, and physical security measures that are appropriate to the volume and nature of the personal data.

Data protection assessments under the KCDPA

The Kentucky privacy law requires controllers to conduct and document a data protection impact assessment (DPIA) when processing personal data:

DPIAs are classified information under the law and are exempt from disclosure, public inspection, and copying. However, the Attorney General can request the controller to disclose a DPIA during its investigations into any alleged violations, and the controller must make it available in this circumstance.

If a controller has already conducted a DPIA for other laws or regulations, and it is similar in scope and effect to what is required under the law, the controller can use that DPIA to comply with the KCDPA.

DPIAs shall be required for data processing activities on or after June 1, 2026.

Consent requirements under the KCDPA

The KCDPA primarily follows an opt-out model for personal data processing, like the other US state-level data privacy laws. This means that, in most cases, businesses can collect and process personal data without needing prior consumer consent. An exception to this is processing that involves sensitive data, and controllers must obtain explicit consent before its processing.

Controllers are required to clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling.

Unlike several other privacy laws, the Kentucky privacy law does not require controllers to recognize consumer consent preferences communicated through a universal opt-out mechanism such as Global Privacy Control (GPC).

With respect to children’s data, the KCDPA aligns with the Children’s Online Privacy Protection Act (COPPA), as is standard among the US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as the Kentucky privacy law considers all personal data of children under this age as sensitive data.

Nondiscrimination under the KCDPA

The KCDPA explicitly prohibits businesses from discriminating against consumers who exercise their rights under the law. Businesses cannot deny goods or services, charge different prices, or offer varying quality levels to these consumers. However, they may offer different prices, rates, levels, quality, or selections of goods or services to consumers if the offer is related to a voluntary loyalty, rewards, premium features, discounts, or club card program in which the consumer participates.

If a consumer chooses not to allow their personal data to be collected, processed, or sold, businesses cannot deny them access to their website. However, certain website features requiring essential cookies may not function properly if those cookies are declined. This limitation is not considered discrimination under the law.

Businesses are not required to offer a product or service that requires personal data they do not collect or maintain. They are also required to comply with state and federal discrimination laws and cannot process personal information in violation of these laws.

Data processing agreement under the KCDPA

The Kentucky privacy law requires controllers and processors to enter into contracts that govern data processing procedures. This contract is known as a “data processing agreement” under the European Union’s General Data Protection Regulation (GDPR) and Virginia’s CDPA and must include:

Processors must ensure confidentiality of the personal data and that, at the controller’s direction or when the contract is complete, all personal data will be deleted or returned to the controller.

Under most data privacy laws, controllers are held accountable for the data processing actions, breaches, and violations by processors. However, the KCDPA provides two exceptions:

The Nebraska Data Privacy Act (NDPA) contains a similar provision regarding controllers’ ultimate accountability for data processing activities.

Enforcement of the Kentucky Consumer Data Protection Act

The Kentucky Attorney General has the exclusive enforcement authority under the KCDPA. Consumers do not have a private right of action, but they can report potential violations or denials of their privacy rights directly to the Attorney General’s office.

Before initiating an enforcement action, the Attorney General must provide written notice to the implicated party, detailing the alleged violations and offering a 30-day cure period for organizations to address and resolve any issues. This cure period, which is a permanent aspect of the law, enables companies to rectify problems and implement measures to prevent future breaches.

Organizations found in violation must inform the Attorney General in writing of their corrective actions and confirm that future breaches will not occur.

Fines and penalties under the KCDPA

The Attorney General can initiate a civil action seeking damages against organizations that do not cure the violation within the 30-day period or breach the written statement they provide. Violations of the Kentucky privacy law may result in civil penalties of up to USD 7,500 per violation.

The KCDPA adopts an opt-out model for data privacy, which allows businesses to collect and process personal data without requiring prior consent from individuals. However, exceptions are made for sensitive personal data and data belonging to children, where prior consent is mandatory. This approach is consistent with other US state-level data privacy laws.

Consumers must be able to opt out of data collection and processing for purposes such as sale, targeted advertising, or profiling. Businesses are required to make this opt-out option clearly available on their websites, usually through the privacy policy or privacy notice.

Websites often use consent banners on their websites that include clear links or buttons enabling users to opt out of data processing. Consent management platforms (CMPs) like Usercentrics CMP automate this process by managing cookies and other tracking technologies, ensuring they are blocked until the consumer gives consent, where this is required by law. CMPs also provide transparent information about the types of data collected, the purposes for which it is collected, and any third parties with whom the data is shared.

In the absence of a single federal privacy law in the US, businesses operating across the US and/or internationally may need to comply with various state and international privacy laws. CMPs assist by customizing cookie banners based on the user’s location, ensuring adherence to state-level laws like the KCDPA and international regulations like the GDPR.

Updates to the Kentucky Consumer Data Protection Act

Even before the KCDPA comes into effect, Kentucky legislators have passed a bill to update its requirements. Governor Andy Beshear signed HB 473 into law on March 15, 2025.

There are two healthcare-related updates. One is that information collected by health care providers that are acting covered entities under HIPAA, and that maintain protected health information according to HIPAA requirements, are exempt from relevant KCDPA requirements.

The second is that information maintained in limited data sets by entities covered by HIPAA in accordance with relevant HIPAA requirements is also exempt from relevant KCDPA requirements.

The other update limits the requirement for completing a Data Protection Impact Assessment (DPIA) in profiling cases to only those cases with unlawful disparate impact (the potential for disproportionate harm or disadvantage to members of a protected group).

These updates go into effect when the rest of the Kentucky Consumer Data Protection Act does, on January 1, 2026.

Preparing for the Kentucky Consumer Data Protection Act

Businesses operating in Kentucky have until 2026 to comply with the KCDPA. Companies already adhering to privacy laws in other states will find that much of their existing compliance work aligns with the KCDPA requirements. Businesses that meet the compliance thresholds set by the law must be prepared to offer users clear opt-out options and accessible privacy notices. Implementing privacy by design improves all aspects of organizational operations, not just compliance with regulations.

As the KCDPA adapts to new technologies and shifting consumer expectations, it is strongly recommended for businesses to seek guidance from a qualified legal professional or data privacy expert, such as a Data Protection Officer, to achieve and maintain compliance.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

The Colorado Privacy Act (CPA), effective from July 1, 2023, aims to protect the personal data of Colorado residents by imposing compliance responsibilities on businesses operating in the state. These businesses must provide clear notices about data collection practices and offer opt-out options for data processing, emphasizing the need for a reliable compliance solution to mitigate risks and focus on core operations.

Influenced by the California Consumer Privacy Rights Act (CCPA) and similar laws, the CPA includes unique thresholds and consumer rights, such as the right to opt out of data sales and targeted advertising, access, correct, and delete personal data, and data portability. Unlike other state laws, the CPA also mandates opt-in consent for processing sensitive data and imposes stricter data minimization requirements.

Compliant data is a critical business resource

Compliance is crucial for companies to avoid fines, data loss, and reputational damage while leveraging privacy practices to build user trust, enhance engagement, and boost revenue. The CPA’s comprehensive approach underscores the growing importance of privacy compliance in today’s data-driven market.

These steps will help you achieve compliance with the Colorado Privacy Act (CPA), which applies to and protects residents of Colorado. The checklist also includes recommended best practices for data privacy-related user experience.

Step 1: Determine if your company is required to comply.

If your for-profit organization:

Important to know: The CPA is effective July 1, 2023 and does not apply retroactively.

Step 2: Create a comprehensive Privacy Policy.

Step 3: Inform users about their rights.

Consumers’ rights under the CPA:

Step 4: As a best practice, review and update your Privacy Policy or Notice every 12 months.

Step 5: Enable clear options when consent is required.

Step 6: Authenticate consent or opt out of collection of sensitive personal data or data from minors.

Step 7: Enable consumers to make Data Subject Access Requests (DSARs)

Step 8: Set up a system to verify Data Subject Access Requests (DSARs)

Step 9: Keep track of Data Subject Access Requests (DSARs)

Step 10: Fulfill Data Subject Access Requests (DSARs)

Get all the details about the Colorado Privacy Act (CPA) in our comprehensive overview.

The Utah Consumer Privacy Act (UCPA), effective December 31, 2023, aims to protect Utah residents’ personal data by granting rights to access, delete, and control their data, while imposing transparency and security obligations on businesses. Companies operating in Utah or targeting its consumers must comply if they meet certain thresholds, including designating a data privacy officer, conducting audits, and responding to consumer requests promptly.

Unlike California’s CCPA/CPRA, the UCPA uses an opt-out model for data processing and does not require explicit consent for processing sensitive data but mandates clear notifications. Understanding and adhering to these specific compliance requirements is crucial for mitigating legal risks, building user trust, and enhancing revenue, making it essential for businesses to stay informed and adjust their practices accordingly.

Compliant data is a critical business resource

These steps will help you achieve compliance with the Utah Consumer Privacy Act (UCPA), which applies to and protects residents of Utah. The checklist also includes recommended best practices for data privacy-related user experience.

Step 1: Determine if your company is required to comply.

If your for-profit organization:

Important to know:: The UCPA is effective December 31, 2023 and does not apply retroactively.

Step 2: Create a comprehensive Privacy Policy.

Step 3: Inform users about their rights.

Consumers’ rights under the UCPA:

Step 4: Review and update your Privacy Policy or Notice every 12 months.

Step 5: Enable clear options when consent is required

Step 6: Authenticate consent or opt out of collecting sensitive personal data or data from minors.

Step 7: Enable consumers to make Data Subject Access Requests. (DSARs)

Step 8: Set up a system to verify Data Subject Access Requests (DSARs)

Step 9: Keep track of Data Subject Access Requests (DSARs)

Step 10: Fulfill Data Subject Access Requests (DSARs)

Get all the details about the Utah Consumer Privacy Act (UCPA) in our comprehensive overview.

If your company has customers in Brazil – the largest country in both Latin and South America – or plans expansion there, and you collect or process personal data, you need to comply with the Lei Geral de Proteção de Dados (LGPD), or General Data Protection Law in English.

After presidential review, the LGPD became law on September 18, 2020. Its enforceability was backdated to August 16, 2020. The main goal of the Law was to unify 40 different Brazilian laws that regulate the processing of personal data. The good news is: if you are already compliant with the GDPR or POPIA, then you have already done a great deal of the work necessary to comply with LGPD.

Compliant data is a critical business resource

To help you achieve LGPD compliance, follow these steps:

Step 1: Identify if your organization needs to comply.

Step 2: Create a comprehensive Privacy Policy.

Step 3: Inform users about their rights.

Step 4: Inform users that you use cookies or other tracking technologies.

Step 5: Explain in the first layer of the privacy banner what your cookies or other web technologies are doing and why.

Step 6: Obtain users’ voluntary and informed consent to store cookies on their device(s) and enable refusal of consent or adjustment of preferences in the future.

Step 7: Collect and process data only after obtaining valid consent.

Step 8: Document and store consent received from users.

Step 9: After opt out, ensure that no further data is collected or forwarded.

Cookies covered by LGPD

Identifiable data is protected by the LGPD. Thus, cookies and other tracking web technologies – that collect data that can be associated with a natural person – are subject to privacy compliance obligations under the law. E.g. the information is linked or linkable to a particular user, IP address, device, or other specific identifier.

Brazilian Internet Act

The Brazilian Internet Act has provisions concerning the storage, use, disclosure, and other treatment of data collected on the Internet. Also, the established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile devices and the Internet.

Violations can be subject to civil punishment under the National Data Protection Authority. Fines can be up to 2 percent of annual revenue for the preceding year, up to BRL 50 million, as well as full or partial suspension of data processing activities.

Requirements for the LGPD (Brazil) Is Usercentrics compliant?
Freely given and informed consent is necessary
The purpose has to be provided (first layer of the privacy banner)
The recipient has to be named (second layer of the privacy banner)
Withdrawal of consent has to be possible (second layer of the privacy banner)
Options to grant or decline consent must be equal
Proof that consent has been given must be stored
The option to give or withdraw granular consent for each data processing purpose has to be provided

DISCLAIMER

These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation. Please consult a qualified lawyer should you have any legal questions.