Following the lead of California, Colorado, and Virginia, Utah is set to become the fourth state to pass a comprehensive privacy law.
As of March 4, the Utah Consumer Privacy Act (SB 227) cleared both houses of the Utah legislature. The UCPA closely resembles the Virginia Consumer Data Privacy Act, but with some interesting changes. The law applies to controllers or processors that do processors that do business in Utah, or produce a product or service that is targeted to consumers who are Utah residents; have annual revenue of $25 million or more; and either (a) control or process personal data of 100,000 or more consumers in Utah during a calendar year, or (b) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers. The law does not include a private right of action; rather, it will be enforced by the Utah AG. If signed, the law will go into effect on December 31, 2023.
The law would vest consumers with rights such as the right to confirm whether a controller is processing their personal data, access and deletion rights, and opt-out rights. The law would require controllers and processors to provide notice that (1) identifies categories of and purposes for which personal data are processed, (2) informs consumers how they may exercise a right, (3) categories of personal data the controller shares with third parties, and (4) the categories of third parties with whom the controller shares personal data.
The law also includes a 30-day right to cure. Moreover, the law neither vests the AG with rulemaking authority, nor does it provide consumers the ability to opt-out of processing using a global privacy control.
While the Utah law will likely not significantly change compliance requirements for businesses subject to the California, Colorado, or Virginia laws, it will create new obligations for some companies. It also serves as a reminder that states will continue to take different approaches, expanding the patchwork of varying legal requirements in the privacy field.