Skip to content

Utah Consumer Privacy Act signed

Utah several weeks ago passed through both chambers Senate Bill 227, the Utah Consumer Privacy Act, which was signed today, March 24th, into law by Governor Spencer J Cox. This makes Utah the 4th state to have privacy legislation set for enforcement in 2023. Utah’s enforcement will come in much later however, as the enforcement date begins on the very last day of the year, December 31st, 2023.

Note: I am not a lawyer. Any questions about said law should be directed at relevant legal counsel.

Who does it apply to?

The law applies to any controller or processor who does the following:

Conducts business in the state of Utah or produces a product or service targeted to consumers who are residents of Utah and has annual revenue of $25,000,000 or more and has one of the following conditions:

  • During a calendar year, controls or processes personal data of 100,000 or more consumers
  • Derives 50% of the entities gross revenue from the sale of personal data or processes and personal data of 25,000 or more consumers.

This makes the law narrower in scope compared to the other state laws. California for example, has the $25 million threshold as a independent basis for qualification, and both Colorado and Virginia have no revenue based exemptions.

Notable exemptions

However, now we get to see who the law does not apply to.

  • government entities or a third party under contract with the government when doing work on behalf of the government.
  • a tribe
  • any institution of higher education
  • any nonprofit corporation
  • a covered entity
  • a business associate
  • or data which may be covered by more specific law (the law lists HIPPA medical data, The Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act that covers finical sectors).

Notable differences from other privacy laws

Consent

Unlike the other state privacy laws to date, the Utah law does not require Opt-In consent for processing of sensitive data (racial or ethnic, religious, dealing with sexual orientation, citizenship or immigration status, concerns the medical history mental or physical health condition, concerns biometric data or specific geolocation data). Opt-In consent is required for children, as is defined under COPPA (Children’s Online Privacy Protection Act).

While the other states allow opting out of profiling, the Utah law only allows consumers to opt out of targeted advertising and sales. The controller must disclose the fact that they sell the consumers personal data or engage in targeted advertising and present a notice which explains how the consumer may exercise the right to opt out of the sale of personal data, or to stop processing for targeted advertising.

Sale of Data

Like the Virginia law, the term ‘sale’ means selling to a third party for monetary consideration. This is a narrower scope than is seen in the California and Colorado laws, which include ‘other valuable consideration’ in their respective definitions of sale.

Other Consumer Rights

Consumers retain the ability to Access, Request deletion of, and Portability of data common to other laws. Notice however I didn’t mention Correction, which is not a right that consumers have under the Utah bill.

Notably even the other rights (while they exist) are more narrow here. Utah only grants the rights to access and deletion of data that the consumer previously provided to the controller. This mimics the behavior of the Virginia law, but is in contrast to the rights allowed to residents in Colorado and California, which include phases such as “concerning” or “about” the consumer data which expand the data that must be disclosed in those states.

Request Timelines

A request must be honored with-in 45 days by the controller. A controller may request a one time extension of an additional 45 days. Utah does not offer an appeal process for controllers who deny a request, unlike Colorado and Virginia.

Data Protection Assessments

Unlike every other state privacy bill, Utah does not require any sort of privacy or data assessment to be conducted.

Limits

The Utah law has many additional limits to it’s reach, as outlined on page 20 of the bill. These limits do not restrict a controller’s ability to do the following with data that has been collected:

  • Comply with a Federal, State or Local law, rule or regulation
  • Comply with a civil, criminal or regulatory inquiry by a federal, state, local or other governmental entity.
  • Cooperate with a law enforcement agency.
  • Investigate, prepare for or defend a legal claim.
  • Provide a product or service requested by a parent or legal guardian of a child
  • Perform a contract to which the consumer or legal guardian is party.
  • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual
  • Detect, prevent, protect against or respond to a security incident.
  • Conduct internal analytics or research to develop, improve or repair a controller’s or processor’s product, service or technology such as (repair technical errors, execute a product recall or preform a internal operation reasonable aligned with the consumers expectations based on the existing relationship.
  • Retain a consumer’s email address to comply with the consumers request to exercise a right.

Enforcement

The law does not have a private right of action. Instead a claim can be made to the Department of Commerce Consumer Protection Office, where the Office can decide to investigate. If a violation is found, the case is then referred to the Utah Attorney General’s office.

Should a violation be found, 30 days before charges are filed the AG will give the controller or processor a notice, in which they have to cure the violation. Violations allow the AG to seek to recover actual damages to the consumer and fines not to exceed $7500 per violation.

Fines recovered under this law are directed to a “Consumer Privacy Account” which the AG can use for conducting investigations, recovering attorney frees, or providing consumer or business education. If the balance of the account ever exceeds $4,000,000 at the end of a fiscal year, the overage is transferred into the General Fund.

Personal Thoughts

We’re rapidly entering a world in which privacy law rivals the insurance industry in the United States. As each state passes it’s own version, compliance will become increasingly difficult.

With that said the Utah law is a first step, but is weaker than the previously passed laws. I am concerned that lobbying will continue to water down privacy laws, while also pushing for a Federal law that overrules state laws. I guess we’ll need to see what happens in the future, but I consider this a possibility.

Next Steps

For those keeping track, 2023 is shaping up to be a busy year.

In January, we’ll see the enforcement of the Virginia and California laws begin, before seeing Colorado begin enforcement in July. With the signing of the bill today, Utah now joins the ranks effective December 31st. Since all these laws are slightly different, affected brands will need to craft a strategy on how to comply with all the different regulations and modify processes (such as marketing tactics) for how to deal with those whom opt out of targeted advertising or profiling

Best advice I have to give is talk to counsel, and start prepping early, as we have just over 8 months before California and Virginia begin their enforcement period, and in the case of California, there is no cure period – so brands are best served getting it right from the get-go rather than waiting until a investigation by California’s new Privacy Agency

Published inLegalPrivacy