SHARE

March 04, 2022

Utah Poised to Enact Consumer Privacy Law

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • The Act’s applicability would make it narrower than any currently enacted state privacy law to date.
  • The Act provides consumers with the now well-known rights of notice, access, portability and deletion.
  • Like other laws, the Utah Consumer Privacy Act allows consumers to opt-out of the use of their information for certain purposes, including targeted advertising and the sale of personal information.

On March 3, 2022, the Utah House of Representatives unanimously passed a consumer privacy bill which the Utah Senate passed earlier this year. The bill, entitled the Utah Consumer Privacy Act, still has several hurdles to jump through before becoming law. Leaders from both legislative chambers will need to provide their signatures before the 2022 session adjournment on March 4, 2022; following those signatures, Utah Governor Spencer J. Cox has 20 days to sign or veto the bill before it becomes law. Despite these remaining hurdles, the bill is widely expected to become the fourth comprehensive state consumer privacy law in the United States and the first such bill to become law in 2022.

 

In Depth


The Utah Consumer Privacy Act would apply to businesses who:

  1. Conduct business in Utah or produce a product or service targeted to Utah residents;
  2. Have an annual gross revenue of over $25 million; and
  3. Either (i) control or process the personal data of at least 100,000 residents or (ii) derive over 50% of its gross revenue from the "sale" of personal data and controls or processes personal data of at least 25,000 residents.

The Act's applicability would make it narrower than any currently enacted state privacy law to date. And as with other state laws, the Act contains broad exceptions for certain entities and data categories, including higher education institutions, nonprofits, and information and entities regulated by both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).

The Act, which is scheduled to take effect on December 31, 2023, includes many of the same rights, obligations and exceptions that have become common in other consumer privacy laws and proposals:

  • The Act provides consumers with the now well-known rights of notice, access, portability and deletion. These rights, however, are limited by reasonable business-use exemptions, such as detecting fraud and complying with a company's legal obligations. Notably, the Act does not provide consumers with the right to correction.
  • Like other laws, the Utah Consumer Privacy Act allows consumers to opt-out of the use of their information for certain purposes, including targeted advertising and the sale of personal information. Unlike other state laws, the Utah Consumer Privacy Act does not allow consumers to opt-out of automated "profiling."
  • The "personal information" protected by the bill includes information that is linked or reasonably linkable to an identified or identifiable individual. "Personal information" does not include deidentified, aggregated or publicly available information.
  • The Act would exclude employee data and business-to-business contact information from its scope, following similar exclusions in other states.
  • The Act creates a category of "sensitive" information, which includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health, biometric or genetic data, and geolocation data. However, instead of following the Virginia/Colorado model and requiring opt-in consent for the collection and processing of sensitive information, the Act would require businesses to provide notice and an opportunity to opt out of the use of "sensitive" data.
  • The Utah Consumer Privacy Act is exclusively enforced through actions by the Utah Attorney General. The law does not provide for a private right of action.
  • The Act grants the Utah Department of Commerce Division of Consumer Protection the power to investigate consumer complaints regarding the processing of their personal information by a business. If the director of the Division of Consumer Protection has reasonable cause to believe that substantial evidence exists that the business is in violation of the law, the director will then refer the matter to the Attorney General.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Merck Fosters Healthcare Of The Future

By McDermott Will & Emery attorneys McDermott Will & Emery December 02 , 2022

Artificial intelligence and machine learning have led a digital transformation in healthcare, expanding providers’ resources and improving the lives of people around the world.

A Tsunami of Lawsuits Is Expected to Slam Institutions in the Wake of New York Adult Survivors Act

By Greer Griffith McDermott Will & Emery December 01 , 2022

A new revival window opened on Thanksgiving Day for filing sexual assault and abuse lawsuits that would otherwise be time-barred by the New York statute of limitations.

Tax Court Holds That Deficiency Petition 90-Day Time Limit Is Jurisdictional

By Andrew R. Roberson McDermott Will & Emery December 01 , 2022

Last summer, the Supreme Court of the United States held that the 30-day time limit to file a Collection Due Process (CDP) petition is a non-jurisdictional deadline subject to equitable tolling (Boechler, P.C. v. Commissioner).

More From Cybersecurity

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

Featured Stories
Closeclose
Search
Menu

Working...