On March 24, Utah Gov. Spence Cox signed into law SB 227, the Utah Consumer Privacy Act. This makes Utah the fourth state, behind California, Virginia, and Colorado, to enact comprehensive consumer data privacy legislation.
The Act will become effective Dec. 31, 2023.
The legislation moved quickly, from introduction to enrollment in less than a month, presumably due to its sponsors laying the groundwork in 2021 with SB 200.
The Act applies to any controller or processor that does business in Utah, or produces a product or service targeted to Utah consumers, and:
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls, or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The Act contains a data-level and entity-level GLBA exemption, not applying to “a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations.”
Other exemptions include, in part, protected health information under the Health Insurance Portability and Accountability Act of 1996 Privacy Rule, and information subject to the Fair Credit Reporting Act.
The Act provides a consumer the right to:
- confirm processing of, and have access to, their personal data;
- delete personal data that was provided to the controller by the consumer;
- obtain a copy of their personal data; and
- opt-out of the processing of their personal data if it is being processed for targeted advertising or sale.
Notably, the Act does not include the right to correct personal data, unlike the California (CPRA), Virginia, and Colorado acts.
A controller must require its processors to enter into a contract that:
- defines the specific purposes and limitations of the processing, including the duration;
- imposes a duty of confidentiality on the processor with respect to the personal data; and
- mandates a similar contract between the processor and any subcontractor.
The Act does not provide a private right of action. In the event of a violation, the Attorney General may bring an enforcement action seeking actual damages to a consumer, and an amount not to exceed $7,500 for each violation. The Act does require the Attorney General to provide a 30-day opportunity to cure a violation.
Maurice Wutscher Impression
The Act is similar to the Virginia Consumer Data Protection Act and Colorado Privacy Act and businesses that are gearing up to comply with either or both should have little problem incorporating the Utah requirements.