Utah is close to becoming the fourth state to have a comprehensive privacy law. The Utah Consumer Privacy Act (SB 227) unanimously passed the Utah Senate on February 25. And the Utah House followed suit quickly, unanimously passing the law on March 2, and prior to the legislative session ending on March 4. The House version slightly modified a couple of the definitions in the Senate version and the Senate has already approved those changes. As of March 3, a final version is being sent to Governor Spencer Cox for his signature. If signed, the law will go into effect on December 31, 2023.
Utah will likely join California, Colorado, and Virginia as the fourth state with a comprehensive privacy law. In terms of parallels, the Utah law most closely mirrors Virginia’s. It has broad exemptions for entities regulated under certain federal laws (with language that is seemingly broader than the exemptions in place in California), is only enforceable by the Utah AG (and includes a 30-day cure period), does not provide the Utah AG with any rulemaking authority, and does not provide consumers with the ability to opt-out of processing using a global privacy control.
Because the Utah law will not create any substantially new obligations for businesses already subject to the other state laws, it is unclear as to whether this fourth state will be sufficient for Congress to feel enough pressure to pass a federal privacy law. Still, state legislative sessions are ongoing, and it is possible that another state joins the privacy party. We are tracking the laws in Wisconsin and Florida, specifically, both of which have passed one of the two chambers in their respective state legislatures. We will continue to provide updates on these issues.
Below are key provisions of the Utah Consumer Privacy Act:
- Applies to controllers or processors that do business in the state, or produce a product or service that is targeted to consumers who are Utah residents, have annual revenue of $25M or more; and either a) control or process personal data of 100,000 or more consumers during a calendar year; or b) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
- Exempts various entities and information types, including government entities; covered entities and business associates under HIPAA; information governed by HIPAA; financial institutions and information governed by the GLBA; and personal data regulated by FERPA.
- Creates individual rights for consumers, including the right to confirm whether a controller is processing their personal data; the right to access their personal data; the right to delete the personal data provided to the controller; the right to obtain a copy of their personal data in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller without impediment; and the right to opt out of the processing of their personal data for the purposes of targeting advertising or the sale of personal data.
- Mandates that controllers provide consumers with a privacy notice with the following information: 1) the categories of personal data processed; 2) the purposes for which the categories of personal data are processed; 3) how consumers may exercise a right; 4) the categories of personal data that the controller shares with third parties; and 5) the categories of third parties with whom the controller shares personal data.
- Incorporates privacy by design principles, such as data minimization and purpose limitation.
- Creates requirements for the processing of “sensitive data,” including requiring that controllers first present consumers with clear notice and an opportunity to opt out of the processing.
- Enables Division of Consumer Protection to establish and administer a system to receive consumer complaints regarding a controller or processor’s alleged violation.
- Does not create a private right of action. Violations are only enforceable by the Utah AG’s office. AG may recover actual damages to the consumer and up to $7,500 for each violation.
- Creates a thirty-day cure period once AG provides written notice of alleged violation.
- Would go into effect on December 31, 2023.