The Utah Consumer Privacy Act unanimously passed the Utah Senate on February 25 and, with a few minor wording changes, passed unanimously in the Utah House on March 2. The final version is awaiting Governor Spencer Cox’s signature. If signed by the March 24 deadline, the law will take effect December 31, 2023, and make Utah the fourth state with a comprehensive consumer privacy law.

The law applies to controllers or processors that do business in the state or produce a product or service targeted to consumers who are Utah residents, have annual revenue of $25 million or more; and either a) control or process personal data of 100,000 or more consumers during a calendar year; or b) derive over 50 percent of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

Under the new law, consumers have the right to confirm whether a controller is processing their personal data, obtain a copy of their personal data in a format that is portable and readily usable, and request deletion. Utah’s law most closely resembles Virginia’s Consumer Data Protection Act and does not include a private right of action. This means consumers won’t be able to sue for alleged violations, as the law is only enforceable by the Utah Attorney General (including a 30-day cure period). The law includes broad exemptions for entities regulated under certain federal laws, covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), information governed by HIPAA, financial institutions and information governed by the Gramm-Leach-Bliley Act (GLBA), and personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Unlike California, the law does not provide rulemaking authority for the Utah Attorney General’s Office.

Companies are required to publish privacy notices, providing:

• the categories or personal data processed;

• the purpose for the processing;

• how consumers may exercise a right;

• the categories of personal data the controller shares with third parties; and

• the categories of third parties with whom the controller shares personal data.

The Utah Consumer Privacy Act also creates requirements for the processing of “sensitive data,” including requiring that controllers first present consumers with clear notice and an opportunity to opt-out of the processing.

It is unlikely the addition of privacy law in Utah will tip the balance in favor of a federal data privacy law during the current legislative session. We are monitoring state legislative activity and could see at least two more states pass similarly comprehensive consumer privacy laws this session.