May 26, 2022

Volume XII, Number 146

Advertisement
Advertisement

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Utah Likely Next State to Pass Consumer Privacy Law

The Utah Consumer Privacy Act unanimously passed the Utah Senate on February 25 and, with a few minor wording changes, passed unanimously in the Utah House on March 2. The final version is awaiting Governor Spencer Cox’s signature. If signed by the March 24 deadline, the law will take effect December 31, 2023, and make Utah the fourth state with a comprehensive consumer privacy law.

The law applies to controllers or processors that do business in the state or produce a product or service targeted to consumers who are Utah residents, have annual revenue of $25 million or more; and either a) control or process personal data of 100,000 or more consumers during a calendar year; or b) derive over 50 percent of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

Under the new law, consumers have the right to confirm whether a controller is processing their personal data, obtain a copy of their personal data in a format that is portable and readily usable, and request deletion. Utah’s law most closely resembles Virginia’s Consumer Data Protection Act and does not include a private right of action. This means consumers won’t be able to sue for alleged violations, as the law is only enforceable by the Utah Attorney General (including a 30-day cure period). The law includes broad exemptions for entities regulated under certain federal laws, covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), information governed by HIPAA, financial institutions and information governed by the Gramm-Leach-Bliley Act (GLBA), and personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Unlike California, the law does not provide rulemaking authority for the Utah Attorney General’s Office.

Companies are required to publish privacy notices, providing:

  • the categories or personal data processed;

  • the purpose for the processing;

  • how consumers may exercise a right;

  • the categories of personal data the controller shares with third parties; and

  • the categories of third parties with whom the controller shares personal data.

The Utah Consumer Privacy Act also creates requirements for the processing of “sensitive data,” including requiring that controllers first present consumers with clear notice and an opportunity to opt-out of the processing.

It is unlikely the addition of privacy law in Utah will tip the balance in favor of a federal data privacy law during the current legislative session. We are monitoring state legislative activity and could see at least two more states pass similarly comprehensive consumer privacy laws this session.

© 2022 Varnum LLPNational Law Review, Volume XII, Number 68
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jeffrey M. Stefan II Auto and Emerging Technology Attorney Varnum Law Firm
Counsel

Jeffrey is a technology-focused corporate attorney with broad legal authority in autonomous and connected vehicles. He previously served as autonomous vehicle counsel for a major global automaker providing regulatory counsel and transactional support. Prior to that role, he supported the automaker's emerging technology portfolio, which included connected vehicle services and other advanced safety technologies.

Jeffrey helps his clients navigate the evolving legal and public policy landscape for new and emerging technologies. He additionally focuses on technology startups assisting...

313-481-7343
Andrea M. Gumushian Attorney Data Privacy Varnum Law DC California
Associate

Andrea is an associate on Varnum’s data privacy and mobility practice teams. She advises leading mobility and technology providers on domestic and international data privacy laws and regulations. Her practice includes drafting and reviewing data protection impact assessments, privacy policies and product-specific privacy notices. Andrea helps clients implement policies and procedures for responding to consumer rights requests and data breaches under the EU-GDPR and California Consumer Privacy Act. She also has experience reviewing vendor and customer contracts with a...

313-481-7347
Advertisement
Advertisement
Advertisement