Utah Enacts Consumer Privacy Bill

Originally published by Danielle S. Urban, Fisher Phillips, the Leavitt Group preferred partner for employment law. Some content by Leavitt Group.

Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (UCPA) on March 24th, making Utah the fifth state to pass its own privacy law while waiting for a nationwide federal law to be enacted (which has yet to happen). California (2018), Nevada (2021), Virginia (2021) and Colorado (2021) state privacy laws predate the Utah law and the UCPA includes similar provisions as recent legislation passed in Colorado, Virginia and California (not so similar to Nevada). Of all of the aforementioned state privacy laws, only the California Consumer Privacy Act (CCPA) and Nevada are already in effect. All others will become effective in 2023 (Virginia: January 1; Colorado: July 1; and, California Privacy Act: January 1). The UCPA will become effective on December 31, 2023.

Although many of the protections are similar to the other states’ laws, Utah’s new bill, if enacted, will potentially have a narrower scope. UCPA will only apply to businesses who:

(1) conduct business in Utah or provide a product or service directed at Utah residents;

(2) have an annual gross revenue of over $25 million; and,

(3) either control or process the personal data of a minimum of 100,000 residents, or derive over 50% of its gross revenue from the “sale” of personal data and control or process the personal data of 25,000 Utah residents.

The new law, like other state laws, exempts certain entities and categories of data, such as institutions of higher learning, non-profits and information or entities regulated by HIPAA and the Gramm-Leach-Bliley Act, as well as employee and business-to-business contact information.

UCPA contains many of the same protections we have seen with the Colorado, Virginia, and California laws, including:

• Protecting personal information, which is defined as information linked or reasonably linked to an identified or identifiable individual (de-identified, aggregated or publicly available information is not considered “personal information” under the Act);
• Consumers may choose to opt out of having their personal information used for certain purposes, including targeted advertising or the sale of their personal information (note that Utah does not allow consumers to opt out of automated profiling, however);
• Consumers will be provided the rights of notice, access, portability and deletion, limited by certain exemptions, including the business’s ability to use personal information for fraud detection or legal compliance purposes; and,
• Right to access and delete personal data maintained by certain businesses, to name a few.

Interestingly, the Act does not provide for the right to correction, but does permit consumers to be charged a fee when responding to consumer requests under certain circumstances.

Sensitive Information Category Mandate Notice & Opt-Out

The Act also creates a “sensitive information” category, which includes any information about race or ethnic origin, religious beliefs, sexual orientation, citizenship, immigration status, health, biometric, and genetic data, and geolocation information. Unlike similar laws, individuals will not be required to provide consent for the collection and processing of sensitive data; rather, businesses are required to provide notice and provide consumers with the opportunity to opt out of the use of their sensitive data.

Analysis

The Act is business-friendly, as it provides no private right of action, but will be enforced through The Utah Attorney General. The Utah Department of Commerce, Division of Consumer Protection will be given the authority to investigate any consumer complaints. If the Department believes a violation of the Act has occurred, the complaint will be referred to the Attorney General.  Businesses will be given at least 30 days to cure any violation, but continuing violations may result in fines of up to $7,500 each.