Utah recently joined California, Colorado, and Virginia in passing a comprehensive privacy law. It goes into effect December 31, 2023 and shares similarities with other states’ laws. Businesses may be glad to learn that Utah takes a lighter touch in some key areas.
Applicability. Like Virginia and Colorado, Utah’s law applies to information about consumers, not employee or B2B information. It applies to businesses that (1) conduct business in Utah or produce products or services targeted to Utah residents, (2) have annual revenues of $25 million or more, and (3) either (a) process personal data of 100,000 or more Utah residents, or (b) derive more than 50 percent of their gross revenue “from the sale of personal data and [control or process] the personal data of 25,000 or more Utah consumers.” That the law includes both a financial and volume threshold is unique. As a result, the law may apply to fewer businesses than those that are, or will be, subject to other state laws. Similar to other states, Utah provides for a number of exceptions. For example, the law does not apply to government entities, nonprofits, and HIPAA-covered entities and business associates. It also does not apply to financial institutions subject to the Gramm-Leach-Bliley Act.
Individual Rights. Like other US laws and GDPR, Utah consumers will have certain rights under this law. This includes a right to access and deletion. It also includes a right to portability. There is no right to correction (as exists in the other state laws). The law also contemplates a right to opt out of “sale” and “targeted advertising.” Utah’s law follows Virginia’s more narrow definition of “sale” rather than California’s broader definition. In Utah, a sale is limited to the exchange of personal data for monetary consideration. Further, the law does not consider disclosures of personal information to third parties a sale if the purpose is consistent with the consumer’s reasonable expectations. Utah allows collection of “sensitive data” if consumers are given notice and the right to opt out of such collection. This differs from Colorado and Virginia, that require opt-in consent.
Contractual Requirements. Like other general privacy laws, Utah requires a contract with entities engaged to “process” information on the company’s behalf. That contract should outline the nature and purpose of processing, that information processed remain confidential, and that subcontractors enter into an agreement with similar obligations.
Governance requirements. Unlike California, Virginia, and Colorado, Utah does not require companies to conduct and document data protection impact assessments. The law also does not contemplate any cybersecurity audits or risk assessments.
Enforcement. In line with the other laws, Utah does not provide for a private right of action. The law will be enforced by the Utah Attorney General. There is a 30-day cure period for alleged violations. The AG may recover actual damages to the consumer, and a penalty up to $7,500 for each violation.
Putting it into Practice: Companies operating in the US now have four comprehensive state privacy laws to keep on their radar for 2023. These are in addition to the myriad (and changing) state privacy laws that govern specific activities and types of information (biometric laws, telephone marketing laws, and more). The continued passage of these laws is a reminder of the importance of having a nimble privacy program that can readily adapt to the changing legislative landscape.