Utah Latest State to Enact a Comprehensive Privacy Law
Yesterday, Utah Governor Spencer Cox signed into law the fourth state comprehensive privacy law in the United States. In what is shaping up to be a patchwork of state privacy laws, the Utah Consumer Privacy Act (UCPA) closely resembles Virginia and Colorado’s versions. As businesses strive to comply with Virginia, Colorado, and California’s new privacy laws and regulations, Utah’s iteration adds yet another wrinkle to compliance efforts.
The UCPA takes effect on December 31, 2023. Similar to other states’ laws, the UCPA applies to any business that has more than $25 million in annual revenues, conducts business in Utah or produces products or services targeted to Utah consumers, and either: (a) controls or processes personal data of more than 100,000 Utah consumers in a calendar year, or (b) derives over 50% of revenues from the sale of personal data and controls or processes the personal data of more than 25,000 Utah consumers. The law exempts many businesses, such as those governed by the Health Insurance Portability and Accountability Act and financial institutions subject to Title V of the Gramm-Leach-Bliley Act. It also contains helpful exclusions for certain deidentifed and pseudonymous data.
Like other states’ privacy laws, the UCPA grants consumers the right to access their personal data, obtain a copy of their personal data, delete their personal data in certain circumstances, and to opt out of the sale of their personal data or its processing for targeted advertising. Businesses will also have to review their contracts for data flows to address certain data processing terms, such as specifying limitations on the use of personal data.
The UCPA is unique in several respects. For example, businesses will not be required to perform data protection assessments, consumers are not granted a right to correct inaccurate information, and businesses may charge a reasonable fee to consumers who make more than one rights request in a 12-month period or when a consumer’s request is, among other things, excessive, repetitive, technically infeasible, manifestly unfounded, or intended to harass, disrupt, or impose undue burden on the business.
As for enforcement, the UCPA does not provide a private right of action. Rather, the UCPA creates an administrative enforcement process in which the Utah Department of Commerce’s Consumer Protection office initially investigates alleged violations of the law. If substantial evidence of a violation is found, the matter can be referred to the Utah Attorney General’s office for the initiation of an enforcement action. Businesses are provided a 30-day cure or safe harbor period from a notice of violation. If a business fails to cure the violation(s) in that time, the Attorney General can impose penalties of up to $7,500 per violation.
We are continuing to monitor state privacy legislation across the United States. As of this week, there is active privacy legislation that has passed at least one legislative chamber in Iowa, Maryland, and Oklahoma. 2022 is proving to be a busy year for compliance. For further information about the UCPA or privacy laws in general, please contact John Landolfi, Chris Ingram, Gretchen Rutz, Jordan Patterson, or your Vorys attorney.