![Photo of Eric Rosenkoetter [Image by creator from ]](/media/images/Eric_Rosenkoetter.2e16d0ba.fill-500x500.jpg)
On March 24, Utah Gov. Spence Cox signed into law SB 227, the Utah Consumer Privacy Act. This makes Utah the fourth state, behind California, Virginia, and Colorado, to enact comprehensive consumer data privacy legislation.
The Act will become effective Dec. 31, 2023.
The legislation moved quickly, from introduction to enrollment in less than a month, presumably due to its sponsors laying the groundwork in 2021 with SB 200.
Applicability
The Act applies to any controller or processor that does business in Utah, or produces a product or service targeted to Utah consumers, and:
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls, or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Exemptions
The Act contains a data-level and entity-level GLBA exemption, not applying to “a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations.”
Other exemptions include, in part, protected health information under the Health Insurance Portability and Accountability Act of 1996 Privacy Rule, and information subject to the Fair Credit Reporting Act.
Consumer Rights
The Act provides a consumer the right to:
- confirm processing of, and have access to, their personal data;
- delete personal data that was provided to the controller by the consumer;
- obtain a copy of their personal data; and
- opt-out of the processing of their personal data if it is being processed for targeted advertising or sale.
Notably, the Act does not include the right to correct personal data, unlike the California (CPRA), Virginia, and Colorado acts.
[article_ad]
Contract Requirements
A controller must require its processors to enter into a contract that:
- defines the specific purposes and limitations of the processing, including the duration;
- imposes a duty of confidentiality on the processor with respect to the personal data; and
- mandates a similar contract between the processor and any subcontractor.
Enforcement
The Act does not provide a private right of action. In the event of a violation, the Attorney General may bring an enforcement action seeking actual damages to a consumer, and an amount not to exceed $7,500 for each violation. The Act does require the Attorney General to provide a 30-day opportunity to cure a violation.
Maurice Wutscher Impression
The Act is similar to the Virginia Consumer Data Protection Act and Colorado Privacy Act and businesses that are gearing up to comply with either or both should have little problem incorporating the Utah requirements.
![[Image by creator from ]](/media/images/Thumbnail_Background_Packet.max-80x80_af3C2hg.png)
![Report cover reads One Conversation Multiple Channels AI-powered Multichannel Outreach from Skit.ai [Image by creator from ]](/media/images/Skit.ai_Landing_Page__Whitepaper_.max-80x80.png)
![[Image by creator from ]](/media/images/paper-collections_triggers_1_1.max-80x80.png){kind=small}
![Report cover reads Bad Debt Rising New ebook Finvi [Image by creator from ]](/media/images/Finvi_Bad_Debt_Rising_WP.max-80x80.png)
![Report cover reads Seizing the Opportunity in Uncertain Times: The Third-Party Collections Industry in 2023 by TransUnion, prepared by datos insights [Image by creator from ]](/media/images/TU_Survey_Report_12-23_Cover.max-80x80.png)
![[Image by creator from ]](/media/images/Skit_Banner_.max-80x80.jpg)
![Whitepaper cover reads: Navigating Collections Licensing: How to Reduce Financial, Legal, and Regulatory Exposure w/ Cornerstone company logo [Image by creator from ]](/media/images/Navigating_Collections_Licensing_How_to_Reduce.max-80x80.png)
![Whitepaper cover text reads: A New Kind of Collections Strategy: Empowering Lenders Amid a Shifting Economic Landscape [Image by creator from ]](/media/images/January_White_Paper_Cover_7-23.max-80x80.png)
![Webinar graphic reads Help Wanted: Predictive, Collaborative and Intelligent Contact Data April 25 at 3pm et by TransUnion [Image by creator from ]](/media/images/Landing_Page_2_KAmAKW1.max-80x80.png){kind=small}
![Webinar graphic reads Multi-Channel AI: Improve Contacts & Increase Revenue Compliantly April 4 at 2pm et [Image by creator from ]](/media/images/Skit.ai_InsideARM_Landing_Page_1200x627.max-80x80.png){kind=small}
![Streamline Your Collections Process with Voice AI [Image by creator from ]](/media/images/Streamline_Your_Collections_Process_with_Voice.max-80x80.png){kind=small}
![How to Connect with Today’s Digital Consumer [Image by creator Editor from insideARM]](/media/images/finvi_webinar_thumbnail.max-80x80.png){kind=small}
![Customizable or Configurable? Webinar [Image by creator Editor from insideARM]](/media/images/Landing_Page_2.max-80x80.png){kind=small}
![How to Launch an Omnichannel Collection Strategy [Image by creator Neustar from insideARM]](/media/images/omnichannel-webinar.max-80x80.png){kind=small}
![Breaking Down the CFPB's Opinion on Convenience Fees [Image by creator Editor from insideARM]](/media/images/2022-11-convieniance-fees-webinar.max-80x80.png){kind=small}
![Overcoming Communication Barriers to Reach Your Accounts [Image by creator Editor from insideARM]](/media/images/neustar-overcoming-communications-barriers-thu.max-80x80.png){kind=small}