Newsletter

Utah to Add Fourth Omnibus Privacy Law to the Growing State Patchwork

March 2022

Privacy In Focus®

On March 3, 2022, the Utah House of Representatives passed a consumer privacy bill: the Utah Consumer Privacy Act. The bill had already passed the Utah Senate in February, and at the time of this writing, awaits a signature from Governor Spencer Cox. Utah’s privacy bill would be the fourth state-level omnibus consumer privacy law, following Colorado, Virginia, and California, and it is slotted to take effect on December 31, 2023 – which is almost a year after the Virginia law and five months after the Colorado law.

Below, we provide a high-level summary of the new law, which once it is signed into law will add to the growing patchwork of state laws that companies with a national footprint will need to navigate.

Scope: The Utah law would apply to any “controller” or “processor” who:

  • Conducts business in Utah or produces a product or service that targets Utah residents; and
  • Has at least an annual revenue of $25 million; and
  • Either:
    • Controls or processes the personal data of 100,000 or more consumers; or
    • Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Key Definitions: The new law covers “personal data,” which is defined consistent with the Virginia and Colorado laws as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” Also, Utah does not include deidentified data, aggregated data, or publicly available information in the definition of personal data. The law also establishes a category of “sensitive data,” which receives heightened protections. “Sensitive data” includes: “personal data that reveals an individual’s racial or ethnic origin, an individual’s religious beliefs, an individual’s sexual orientation, an individual’s citizenship or immigration status, or information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data.” Finally, the new law defines “consumer” as a Utah resident acting in an individual or household context, and like Virginia and Colorado, excludes individuals acting in an employment or commercial context.

Consumer Rights: The law would create many familiar data privacy rights, including:

  • The right to know;
  • The right to access;
  • The right to delete;
  • Portability rights; and
  • Opt-out rights for processing related to targeted advertising or personal data sales.

Controller and Processor Obligations: Controllers and processors also have a number of duties relating to the processing of consumer personal data. Controllers must:

  • Provide consumers with privacy notices;
  • Maintain reasonable security practices regarding personal data;
  • Provide consumers with notice and opt-out opportunities before processing sensitive data; and
  • Not discriminate against consumers that exercise their rights.

Processors must:

  • Enter into contracts that provide instructions for processing; and
  • Adhere to controller instructions, and take appropriate security measures regarding personal data processing.

Enforcement: As for enforcement, the law does not create a private right of action; instead, the Utah Attorney General (AG) has sole authority to enforce the law. The AG can recover actual damages to the consumer and up to $7,500 for each violation. The law would include a 30-day cure period for violations.

***

As organizations are developing a comprehensive strategy to comply with the growing number of state omnibus privacy laws, they will need to add Utah to the equation.

Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and address compliance with new privacy laws. Please reach out to any of the authors with questions.

© 2022 Wiley Rein LLP

Read Time: 3 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek