June 25, 2022

Volume XII, Number 176

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis

June 22, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

The Beehive State Joins the State Privacy Law Hive: Utah Privacy Law Passes

Utah recently joined CaliforniaColorado, and Virginia in passing a comprehensive privacy law. It goes into effect December 31, 2023 and shares similarities with other states’ laws. Businesses may be glad to learn that Utah takes a lighter touch in some key areas.

Applicability. Like Virginia and Colorado, Utah’s law applies to information about consumers, not employee or B2B information. It applies to businesses that (1) conduct business in Utah or produce products or services targeted to Utah residents, (2) have annual revenues of $25 million or more, and (3) either (a) process personal data of 100,000 or more Utah residents, or (b) derive more than 50 percent of their gross revenue “from the sale of personal data and [control or process] the personal data of 25,000 or more Utah consumers.” That the law includes both a financial and volume threshold is unique. As a result, the law may apply to fewer businesses than those that are, or will be, subject to other state laws. Similar to other states, Utah provides for a number of exceptions. For example, the law does not apply to government entities, nonprofits, and HIPAA-covered entities and business associates. It also does not apply to financial institutions subject to the Gramm-Leach-Bliley Act.

Individual Rights. Like other US laws and GDPR, Utah consumers will have certain rights under this law. This includes a right to access and deletion. It also includes a right to portability. There is no right to correction (as exists in the other state laws). The law also contemplates a right to opt out of “sale” and “targeted advertising.” Utah’s law follows Virginia’s more narrow definition of “sale” rather than California’s broader definition. In Utah, a sale is limited to the exchange of personal data for monetary consideration. Further, the law does not consider disclosures of personal information to third parties a sale if the purpose is consistent with the consumer’s reasonable expectations. Utah allows collection of “sensitive data” if consumers are given notice and the right to opt out of such collection. This differs from Colorado and Virginia, that require opt-in consent.

Contractual Requirements. Like other general privacy laws, Utah requires a contract with entities engaged to “process” information on the company’s behalf. That contract should outline the nature and purpose of processing, that information processed remain confidential, and that subcontractors enter into an agreement with similar obligations.

Governance requirements. Unlike California, Virginia, and Colorado, Utah does not require companies to conduct and document data protection impact assessments. The law also does not contemplate any cybersecurity audits or risk assessments.

Enforcement. In line with the other laws, Utah does not provide for a private right of action. The law will be enforced by the Utah Attorney General. There is a 30-day cure period for alleged violations. The AG may recover actual damages to the consumer, and a penalty up to $7,500 for each violation.

Putting it into Practice: Companies operating in the US now have four comprehensive state privacy laws to keep on their radar for 2023. These are in addition to the myriad (and changing) state privacy laws that govern specific activities and types of information (biometric laws, telephone marketing laws, and more). The continued passage of these laws is a reminder of the importance of having a nimble privacy program that can readily adapt to the changing legislative landscape.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 87
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement
Advertisement