Utah to Add Fourth Omnibus Privacy Law to the Growing State Patchwork
Privacy In Focus®
On March 3, 2022, the Utah House of Representatives passed a consumer privacy bill: the Utah Consumer Privacy Act. The bill had already passed the Utah Senate in February, and at the time of this writing, awaits a signature from Governor Spencer Cox. Utah’s privacy bill would be the fourth state-level omnibus consumer privacy law, following Colorado, Virginia, and California, and it is slotted to take effect on December 31, 2023 – which is almost a year after the Virginia law and five months after the Colorado law.
Below, we provide a high-level summary of the new law, which once it is signed into law will add to the growing patchwork of state laws that companies with a national footprint will need to navigate.
Scope: The Utah law would apply to any “controller” or “processor” who:
- Conducts business in Utah or produces a product or service that targets Utah residents; and
- Has at least an annual revenue of $25 million; and
- Controls or processes the personal data of 100,000 or more consumers; or
- Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Key Definitions: The new law covers “personal data,” which is defined consistent with the Virginia and Colorado laws as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” Also, Utah does not include deidentified data, aggregated data, or publicly available information in the definition of personal data. The law also establishes a category of “sensitive data,” which receives heightened protections. “Sensitive data” includes: “personal data that reveals an individual’s racial or ethnic origin, an individual’s religious beliefs, an individual’s sexual orientation, an individual’s citizenship or immigration status, or information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data.” Finally, the new law defines “consumer” as a Utah resident acting in an individual or household context, and like Virginia and Colorado, excludes individuals acting in an employment or commercial context.
Consumer Rights: The law would create many familiar data privacy rights, including:
- The right to know;
- The right to access;
- The right to delete;
- Portability rights; and
- Opt-out rights for processing related to targeted advertising or personal data sales.
Controller and Processor Obligations: Controllers and processors also have a number of duties relating to the processing of consumer personal data. Controllers must:
- Provide consumers with privacy notices;
- Maintain reasonable security practices regarding personal data;
- Provide consumers with notice and opt-out opportunities before processing sensitive data; and
- Not discriminate against consumers that exercise their rights.
- Enter into contracts that provide instructions for processing; and
- Adhere to controller instructions, and take appropriate security measures regarding personal data processing.
Enforcement: As for enforcement, the law does not create a private right of action; instead, the Utah Attorney General (AG) has sole authority to enforce the law. The AG can recover actual damages to the consumer and up to $7,500 for each violation. The law would include a 30-day cure period for violations.
As organizations are developing a comprehensive strategy to comply with the growing number of state omnibus privacy laws, they will need to add Utah to the equation.
Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and address compliance with new privacy laws. Please reach out to any of the authors with questions.
© 2022 Wiley Rein LLP