Skip to Content

New Year, New Data Privacy Compliance Obligations

on Monday, 29 January 2024 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

The first quarter of 2024 begins with two new data privacy laws going into effect – the Utah Consumer Privacy Act and Oregon’s data broker registration law. 


The Utah Consumer Privacy Act (UCPA) (which actually went into effect on December 31, 2023), applies to controllers or processors that (1) conduct business in Utah, (2) have annual gross revenues of $25,000,000 or more, and (3) either process the personal data of 100,000 or more state residents in a calendar year or derive 50% of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah residents.

The UCPA also requires businesses to provide consumers with information about how they can exercise their rights.  The UCPA gives consumers the right to:

  • Find out if a business is processing their personal data
  • Access their personal data
  • Request that a business delete their personal data
  • Obtain a copy of their personal data
  • Opt out of having their personal data sold or used for advertising

Consumers have the ability to exercise a right by submitting a request to a covered business, which then has 45 days to respond to the request.

Unlike many other state data privacy laws, the UCPA does not require consent to process sensitive data, but does require businesses to provide notice to the consumer, along with an opportunity to opt out such processing.


Effective January 1, 2024, data brokers are required to register with the Oregon Department of Consumer and Business before collecting, selling, or licensing brokered personal data.  “Data broker” is defined as “a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.”  The law exempts several entities from the definition of “data broker,” including those collecting information from their customers, subscribers or users of the business’s goods or services, those acting in a “similar” relationship,” or an entity acting as an agent for those companies.   The law also exempts consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions subject to the Gramm-Leach-Bliley Act.

The law defines “brokered personal data” to include computerized data elements about an Oregon resident, if categorized or organized for sale or licensing to another person, including in part: name, physical address, date or place of birth, mother’s maiden name, biometric information, and Social Security Number (or any other government-issued identification number). The definition also includes any other information that, alone or in combination with other information that is sold or licensed, “can reasonably be associated with the resident individual.”  

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500