Utah Legislature Passes Consumer Privacy Bill
Insights
3.16.22
The Utah House of Representatives passed a comprehensive consumer privacy bill, which had been approved by the Senate earlier this year. The bill, which is similar to recent legislation passed in Colorado and Virginia and includes some of the same protections included in the California Consumer Privacy Act, is awaiting signature by the governor. Although many of the protections are similar to the other states’ laws, Utah’s new bill, if enacted, will potentially have a narrower scope, as it will apply only to businesses that (1) conduct business in Utah or provide a product or service directed at Utah residents; (2) have an annual gross revenue of over $25 million; and (3) either control or process the personal data of a minimum of 100,000 residents, or derive over 50% of its gross revenue from the “sale” of personal data and control or process the personal data of 25,000 Utah residents. The proposed law, like other state laws, exempts certain entities and categories of data, such as institutions of higher learning, non-profits and information or entities regulated by HIPAA and the Gramm-Leach-Bliley Act, as well as employee and business-to-business contact information.
If signed into law, the Act is scheduled to take effect December 31, 2023, and will contain many of the same protections we have seen with the Colorado, Virginia, and California laws, including:
- Protecting personal information, which is defined as information linked or reasonably linked to an identified or identifiable individual (de-identified, aggregated or publicly available information is not considered “personal information” under the Act);
- Consumers may choose to opt out of having their personal information used for certain purposes, including targeted advertising or the sale of their personal information (note that Utah does not allow consumers to opt out of automated profiling, however);
- Consumers will be provided the rights of notice, access, portability and deletion, limited by certain exemptions, including the business’s ability to use personal information for fraud detection or legal compliance purposes.
Interestingly, the Act does not provide for the right to correction but does permit consumers to be charged a fee when responding to consumer requests under certain circumstances.
The Act also creates a “sensitive information” category, which includes any information about race or ethnic origin, religious beliefs, sexual orientation, citizenship, immigration status, health, biometric, and genetic data, and geolocation information. Unlike similar laws, individuals will not be required to provide consent for the collection and processing of sensitive data; rather, businesses are required to provide notice and provide consumers with the opportunity to opt out of the use of their sensitive data.
The Act is likely more business-friendly, as it provides no private right of action, but will be enforced through The Utah Attorney General. The Utah Department of Commerce, Division of Consumer Protection will be given the authority to investigate any consumer complaints. If the Department believes a violation of the Act has occurred, the complaint will be referred to the Attorney General. Businesses will be given at least 30 days to cure any violation, but continuing violations may result in fines of up to $7,500 each.