Utah Adopts Consumer Privacy Act
Utah Adopts Consumer Privacy Act
On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (the “Act”) into law. The Act makes Utah one of only a handful of states to adopt comprehensive consumer privacy legislation. While several states have seen privacy laws proposed this year, Utah is the first state to move a bill through its legislature to adoption. The Act will take effect on December 31, 2023.
Like privacy laws implemented over the past several years in other states, the Act’s scope includes only certain businesses passing a threshold inquiry. Notably, the Act generally appears to be more limited in scope than the privacy laws of other states, including the California Consumer Privacy Act and the Virginia Consumer Data Protection Act. Specifically, the Act applies primarily to businesses:
- Operating in Utah or targeting Utah residents;
- Having revenues of at least $25 million; and
- Satisfying at least one of the following thresholds:
- During a calendar year, processes or controls personal data of 100,000 or more consumers; or
- Derives over 50% of gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 consumers.
The Act provides consumers individual rights like those under other privacy laws, including the rights to:
- Access personal data processed by a controller.
- Delete personal data provided by the consumer to a business controller.
- Obtain a copy of personal data in a portable and readily usable format.
- Opt out of certain processing activities (including sales of data).
Controllers must also comply with several obligations related to consumer personal data under the Act, including obligations to provide clear privacy notices describing processing activities, to obtain consent before processing children’s personal data, to refrain from discriminating against a consumer for exercising a right under the Act, to implement safeguards to protect the security of personal data the controller processes, and to ensure that processing activities performed on behalf of the controller are governed by a written agreement between the processor and the controller.
Importantly, the Act does not include a private right of action and provides only for attorney general enforcement actions. As passed, the Act would allow the attorney general to impose penalties, including actual damages related to a violation of the Act, and fines of up to $7,500 per violation. While individual consumers are not able to pursue private actions against controllers, the Act requires the Utah Division of Consumer Protection to receive consumer complaints and to investigate complaints having merit.
In addition to its more limited scope, the Act also exempts information that would otherwise satisfy the definition of personal data under the Act in certain contexts, including information processed or maintained in the course of employment. With differences in scope and definitions, it will be important for businesses subject to the privacy laws of more than one state to ensure it is aware of the nuances between each law and be able to operationally comply with each law’s requirements.