Data Privacy Preference Management: Building Customer Trust

Building Customer Trust Through Data Privacy Preference Management

LevelUP Consulting Partners guides clients through the murky waters of data privacy compliance and risk management into the clear seas of information governance. In this journey, an area that is growing in importance is consumer consent management.

The combination of new privacy regulations emerging in the U.S. and abroad with often conflicting obligations and record keeping requirements, make it seem like properly gathering consumer consent is functionally impossible. Nationally and globally, privacy regulations requiring compliance via consumer consent vary from vague to overly detailed. This adds tough administrative efforts to your already heavy workload. But not to fear. LevelUP has developed methodologies, tools, and techniques to steer our clients through these challenges into operational solutions that satisfy legal demands.

Consent by Jurisdiction

One of the key questions organizations ask when sifting through consent requirements is, do the relevant jurisdictions require opt-in or opt-out consent?  It’s an important question. One technique assumes a default of consent, while the other explicitly requires active assent. The opt-out versus opt-in question is also the central differentiator between U.S. state privacy law requirements and international regulations like the GDPR.

Data Privacy: Consent in the United States

Five states across the U.S. either have new data privacy laws in force or have passed laws that will come into effect in 2023. These states are California, Virginia, Colorado, Utah, and Connecticut. With the economic behemoth, California, first entering the privacy regulation ring, other states have quickly followed suit and largely followed its lead in writing their laws, with a few nuances of note.

In general, Americans tend to lean toward the opt-out framework when dealing with consent, assuming consent unless the consumer explicitly states otherwise.

For example, California’s CCPA Section 1798.120(a-b) reads: “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out,” and, “A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.”  Although California appears to remain the strictest of the five state policies currently passed into law, the other four also follow an opt-out framework for consent.

GDPR and Other Global Policies

In stark contrast, as the widely considered world leader on data privacy management, the European Union applies an opt-in framework when it comes to consent. 

The GDPR specifically states: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” 

Following suit, many other countries and jurisdictions have utilized the opt-in framework for collecting consent. Argentina, Brazil, China, and India being good examples, all having also implemented an opt-in strategy for gathering consent to collect user data.

Preference Management Functionality

To the untrained eye, opt-in jurisdictions may look like an overwhelming design and maintenance burden on already overtaxed business admin resources. And that the ubiquitous pop-up banners and questionnaires are the only solution. But that is not always the case.

First, remember that opt-in jurisdictions do not require consent for strictly necessary data collection, which exempts mandatory business information from processing procedures. Additionally, most consent can be gathered in a straightforward way online through the right legal language crafted with counsel.

Record keeping and legal language are intertwined and must be consistent when gathering and documenting consent. With proper design of your organization’s policies and procedures to show due diligence, good record keeping practices, thoughtful risk management, and understanding of jurisdiction requirements you will be on the right side of defensible information governance standards.


Over the years LevelUP has leveraged our compliance expertise to provide clients steady navigation through uncertain waters and arrive to safe compliance shores. We help clients create and implement customized, comprehensive, yet straightforward consumer consent programs which demonstrate compliance and build consumer trust.

For more information on this topic or how LevelUP Consulting partners can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at:


The Utah Consumer Privacy Act – And Then There Were Four

Utah’s Consumer Privacy Acts Makes the Fourth US State to Create It’s Own Privacy Law

In our previous post, New State Privacy Laws – What’s Required?, we commented that although California led the way, Virginia and Colorado passed privacy laws on the heels of this landmark legislation, and twenty states had privacy legislation in the works. Since this writing, Utah has become the newest state to pass privacy legislation. Utah’s Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022.  And, although the law does not take effect until December 31, 2023, there are compliance obligations to keep an eye on. Here’s a look at how to begin preparing for the country’s newest state privacy requirements.

UCPA Overview

The UCPA was signed into law on March 24, 2022 and will take effect on December 31, 2023. The law defines consumers as individuals who are residents of Utah and acting in an individual or household manner. Notably, it does not include individuals acting in employment or commercial contexts. It defines controllers as persons doing business in the state who determine the purposes for which, and the means by which, personal data is processed. Processor is defined as a person who processes personal data on behalf of a controller, thus borrowing terms from the GDPR.

The UCPA applies to any controller or processor who:

  • Conducts business in the state
  • Produces a product or service that is targeted to consumers who are Utah residents
  • Has an annual revenue of at least $25 million and satisfies either: (1) during a calendar year, controls, or processes personal data of 100,000 or more consumers, and/or (2) derives over 50 percent of gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers.

The UCPA grants consumer rights to access and delete personal data. It also requires written agreements between controllers and processors. Finally, it treats consumer rights as largely opt-out.

What Makes UCPA Different from other US State Privacy Laws? (CA, CO, and VA)

Although the UCPA is largely based on Virginia’s privacy legislation, it is distinct and arguably narrower than its predecessors. For starters, it appears to be the least restrictive of the four state data privacy laws passed to date.  First, the UCPA has a narrower scope of applicability than the other states’ laws. For a business to be in scope, it must meet the criteria above, AND satisfy one or more of the following thresholds:

1) during a calendar year, controls or processes personal data of 100,000 or more consumers, or

2) derives over 50% of gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers. 

The UCPA exempts non-profits, higher education, government entities, or entities processing personal data subject to federal privacy laws. Additionally, the UCPA does not apply to personal data of employees or business contacts, de-identified data, aggregated data, or information generally available to the public.

Second, like other state privacy laws, the UCPA grants consumers rights to access and delete personal data. It does not, however, grant consumers a right to correct personal data. In addition, it only allows for deletion of information obtained from the consumer by the controller. It does not allow for deletion of information inferred from what a consumer has provided, or from third-party information. The UCPA allows for an opt-out of targeted advertising like other laws, however it sticks to opt-out for sensitive data, instead of creating an opt-in provision like the Virginia and Colorado laws. 

Thirdly, the UCPA is lighter on security and data processing agreements than its predecessors in other states. Unlike California, Virginia, and Colorado, the UCPA does not require controllers to conduct formal data processing risk assessments prior to processing personal and even sensitive data. It also does not include provisions on dark patterns. Like the other laws, the UCPA does require a controller to execute an agreement with a processor but does not require provisions in the agreement allowing controllers to audit the processor or give controllers rights to object to a processor’s use of a subcontractor.

Finally, enforcement looks slightly different under the UCPA than its predecessors in other states. Under the UCPA, consumers are required to first submit complaints to the Utah Division of Consumer Protection, which then has the power to elevate a UCPA complaint to the Utah Attorney General’s office. In California, Colorado, and Virginia, the process starts in the Attorney General’s office.

Looking Forward

As more and more states pass data privacy laws like these four, it is only natural for companies to be intimidated by the potential of a tsunami of fifty separate privacy laws. While Utah clearly added its own twist to American privacy laws, and has some unique requirements, many have remained similar to established state laws.

Since the UCPA is narrower than its predecessors in California, Virginia, and Colorado, if a company is compliant or working towards compliance with any of these privacy laws, some work will have been accomplished toward compliance with the UCPA. 

As always, reviews, updates, and implementation of robust privacy programs, data mapping, consent practices and similar good data stewardship practices will serve companies well in complying with the UCPA, as it has for the other state privacy laws.

For more information on U.S. state privacy laws or how LevelUP Consulting partners can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at:


Data Privacy Day 2022 – An Opportunity for Awareness

What is Data Privacy Day?

Data Privacy Day was established by the Council of Europe in 2007 (known as Data Protection Day in Europe), and first took place that year on January 28th. Observed annually, the event commemorates the January 28, 1981 signing of Convention 108, which is significant as the first legally binding international treaty dealing with privacy and data protection.

In 2009, Congress passed a resolution designating January 28th as National Data Privacy Day in the United States. The vote to pass the bill in the House of Representatives was 402-0 (can you imagine that happening now?), showing strong bipartisan support for the protection of personal information, an across the aisle trend that to a large extent continues today.

To date, Data Privacy Day is observed in the United StatesCanadaIsrael and 47 European countries.

So that’s the background on how and why we mark this day annually. Now let’s turn our attention to the audiences best suited for the important messages the celebration seeks to convey.

Citizens and Customers

Ultimately, it’s really all of us that benefit from the good stewardship of personal data. Most of us give up our names, contact and financial information, and likely a lot more personal information to many different organizations nearly every day. To have the right to access, correct, delete and suspend onward transfer of that information is a right that is currently enjoyed by many depending on where they live, and is proliferating across the globe. If you’re not currently afforded these privileges, then it is likely being discussed as a potential right for you in some legislature. CurrentlyFour states in the U.S. are proposing privacy legislation this year:  Florida, Washington, Indiana, and the District of Columbia. This trend is increasing, and many say the possibility of a federal privacy law coming into existence has never been stronger.

Key Business Unit Stakeholders

If you work on the privacy team, or are involved with risk management in your organization, then you know that you depend on the help and support of key people in the IT, human resources, sales, marketing and customer service departments, to name a few. Data Privacy Day provides an opportunity to connect with these colleagues and remind them how important personal information management is to you, your team, and the organization. Not just for legal compliance reasons, but to maintain customer trust your organization wants and needs.

Grow awareness of the importance of strong data stewardship by sharing educational materials like those available here, and here, with these coworkers.

Privacy Team Members

Even though the members of your privacy team are committed to the tenets of data governance and diligent data stewardship efforts, they still need ongoing inspiration and motivation to take on the day-to-day challenges of proper privacy management over the long haul. Leverage this day, and use this perennial event to inform, educate, energize and celebrate their ongoing work on behalf of the company’s compliance and trust endeavors. They work hard, and so do you, so now’s the time to pause, reflect, reinvigorate, mark successes, and commit to the future of your privacy program.

Good luck and let us know if we can help!

For more information, contact Eric Dieterich, Managing Director at:


Increasing the Impact of Vendor Risk Management

At the 2021 Onetrust Trust Week, (VRM) LevelUP’s on demand session focused on the added value of a vendor risk management program. As business models and the associated risk landscape continue to evolve, governance, risk and compliance (GRC) professionals can increase the impact of their VRM programs by engaging a cross-functional set of stakeholders. This allows for better management of risk and alignment to organizational objectives. By incorporating broader operational, financial, and reputational risk domains, GRC programs can deliver more valuable risk insights to a larger audience of decision makers.

Learn how streamlining and centralizing VRM activities into a shared service model can be a hidden driver of operational efficiencies. The session, just over 15 minutes, can be viewed below.

Colin Brown co-manages LevelUP Consulting Group’s core service offerings, leads our management consulting and third-party risk management services, and supports strategic initiatives. He has extensive experience providing strategic consulting services to organizations ranging in size from small private enterprises to Fortune 500 companies. Throughout his career Colin has focused on helping clients design, implement, and manage their compliance, cybersecurity, and privacy programs. He has worked with clients in a variety of industries including life sciences and pharmaceuticals, quick service restaurant, hospitality, software, retail, and financial services. Colin previously worked at a global professional services firm where he helped clients manage large compliance initiatives.

Learn more about Vendor Risk Management through our Total TPRM solution.


Dave Cohen Joins LevelUP as Senior Manager

LevelUP Consulting Group is excited to expand the team with the addition of Dave Cohen as Senior Manager. As a well-known leader within the risk industry, Dave will be providing updates on changes in the privacy risk management space, managing and delivering client services, and increasing awareness of LevelUP Consulting services provided at LevelUP Consulting. 

Dave has worked in the information privacy field for over 13 years and has been at the center of constantly evolving discussions on privacy legal compliance and privacy control operational best practices. Prior to joining LevelUP, Dave was the Senior Knowledge Manager at the IAPP. He worked with top international and domestic privacy thought leaders curating and hosting live conferences and webinars.  

He has created and hosted hundreds of programs exploring subjects such as important privacy laws including: the Health Insurance Portability and Accountability Act (HIPAA), the EU General Data Protection Regulation (GDPR) the U.S. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) along with other essential information privacy governance and operational control topics. 

“We are very excited to have Dave join LevelUP Consulting Group,” said Managing Director Eric Dieterich. “I have known Dave for many years and have enormous respect for his privacy knowledge and ability to make complex issues easy to understand. These qualities, combined with his ability to ask the right questions, make him a great consultant and exceptional fit for LevelUP’s client first approach.”  

Dave is a Certified Information Privacy Professional (CIPP) with the IAPP (International Association of Privacy Professionals) holding both the CIPP/E (Europe) and CIPP/US (United States) certifications. He holds a BS in Mechanical Engineering from the University of New Hampshire, with a minor in English. 

About LevelUP Consulting Group

LevelUP Consulting Group is a leading professional services provider focused on assisting organizations with evaluating, building, enhancing, and maintaining their risk management and compliance programs. Our team of subject matter experts provides specialized consulting services combined with technology subject matter expertise that help clients manage risks in an efficient and scalable manner. LevelUP works with clients ranging from startup organizations to the Fortune 500 in all industries across the United States, Canada, and EMEA. For more information about LevelUP Consulting Group, please visit

Google Maps
Sound Cloud