Utah Consumer Privacy Act Newest State Privacy Act Signed into Law
Friday, March 25, 2022
Utah Consumer Privacy Act Gov. Spencer J. Cox
Print Mail Download i

The newest state data privacy law, the Utah Consumer Privacy Act, was signed into law by Utah Governor Spencer J. Cox on March 24, 2022. This makes Utah the fifth state to pass its own privacy law instead of waiting for the federal government to enact a nationwide federal law.

There are other state laws that are pending in legislatures across the country, and we anticipate that others will be passed during this year’s legislative season.

Similar to the California, Nevada, Virginia and Colorado state privacy laws, the Utah Consumer Privacy Act provides consumers with the right to:

  • access and delete personal data maintained by certain businesses;

  • opt out of the collection and use of personal data for certain purposes;

  • requires some businesses to safeguard data, and provide transparency to consumers about how they collect and use data;

  • comply with a consumer’s request to exercise rights under the law;

  • provides consumers with the right to know what data a business collects, how it uses personal data and whether it sells the data;

  • requires a business to delete a consumers’ personal data or stop selling the data (with certain exceptions);

  • provides the Division of Consumer Protection jurisdiction to investigate consumer complaints regarding the processing of personal data; and

  • authorizes the Office of the Attorney General to enforce the law and impose penalties for violation.

The law includes broad definitions of personal and sensitive data, requires controllers of data to provide notice to consumers of collection of personal data and minimize the amount of data collected, and have appropriate security measures in place to protect personal data after collection.

Significantly, the Utah law pivots away from the rights provided in the California Consumer Privacy Act by not providing a private cause of action if the law is violated.

The law provides authority to the Attorney General to enforce its provisions and to seek recovery for actual damages of any consumer, and $7500 per violation of the law. Any funds received by the Attorney General for enforcement of the law will be deposited into the Consumer Privacy Account, which is designated a restricted account, so the funds can be used for enforcement actions and providing education to consumers up to $4,000,000.

The law becomes effective on December 31, 2023.

We anticipate more state privacy laws to be enacted this year, and we will update you on those laws as they are signed by Governors.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman
New Threat: Scattered Spider International Coalition of Hackers
by: Linn F. Freedman
Joint Guidance Published by Five Eyes on Deploying AI Systems Securely
by: Linn F. Freedman
U.S. Government Intervenes in Case Alleging Unauthorized Disclosure of CUI
by: Data Privacy & Cybersecurity Robinson Cole
DoorDash Settles with California Attorney General for Alleged Violations of the CCPA
by: Kathryn M. Rattigan
The State of AI Governance and Diversity: Takeaways from the AI Index Report
by: Blair V. Robinson
Weight Loss, Miracle Medications & the Workplace
by: Abby M. Warren
Additional States Implement Notice Requirements for Healthcare Transactions
by: Leslie J. Levinson , Danielle H. Tangorre
Privacy Tip #393 – Phishing, Smishing, Vishing and Qrishing Schemes Continue to Dupe Users
by: Linn F. Freedman
Congress Introduces Promising Bipartisan Privacy Bill
by: Blair V. Robinson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins