February 8, 2023

Volume XIII, Number 39


February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

Utah Poised to Enact Consumer Privacy Law

On March 3, 2022, the Utah House of Representatives unanimously passed a consumer privacy bill which the Utah Senate passed earlier this year. The bill, entitled the Utah Consumer Privacy Act, still has several hurdles to jump through before becoming law. Leaders from both legislative chambers will need to provide their signatures before the 2022 session adjournment on March 4, 2022; following those signatures, Utah Governor Spencer J. Cox has 20 days to sign or veto the bill before it becomes law. Despite these remaining hurdles, the bill is widely expected to become the fourth comprehensive state consumer privacy law in the United States and the first such bill to become law in 2022.


The Utah Consumer Privacy Act would apply to businesses who:

  1. Conduct business in Utah or produce a product or service targeted to Utah residents;

  2. Have an annual gross revenue of over $25 million; and

  3. Either (i) control or process the personal data of at least 100,000 residents or (ii) derive over 50% of its gross revenue from the “sale” of personal data and controls or processes personal data of at least 25,000 residents.

The Act’s applicability would make it narrower than any currently enacted state privacy law to date. And as with other state laws, the Act contains broad exceptions for certain entities and data categories, including higher education institutions, nonprofits, and information and entities regulated by both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).

The Act, which is scheduled to take effect on December 31, 2023, includes many of the same rights, obligations and exceptions that have become common in other consumer privacy laws and proposals:

  • The Act provides consumers with the now well-known rights of notice, access, portability and deletion. These rights, however, are limited by reasonable business-use exemptions, such as detecting fraud and complying with a company’s legal obligations. Notably, the Act does not provide consumers with the right to correction.

  • Like other laws, the Utah Consumer Privacy Act allows consumers to opt-out of the use of their information for certain purposes, including targeted advertising and the sale of personal information. Unlike other state laws, the Utah Consumer Privacy Act does not allow consumers to opt-out of automated “profiling.”

  • The “personal information” protected by the bill includes information that is linked or reasonably linkable to an identified or identifiable individual. “Personal information” does not include deidentified, aggregated or publicly available information.

  • The Act would exclude employee data and business-to-business contact information from its scope, following similar exclusions in other states.

  • The Act creates a category of “sensitive” information, which includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health, biometric or genetic data, and geolocation data. However, instead of following the Virginia/Colorado model and requiring opt-in consent for the collection and processing of sensitive information, the Act would require businesses to provide notice and an opportunity to opt out of the use of “sensitive” data.

  • The Utah Consumer Privacy Act is exclusively enforced through actions by the Utah Attorney General. The law does not provide for a private right of action.

  • The Act grants the Utah Department of Commerce Division of Consumer Protection the power to investigate consumer complaints regarding the processing of their personal information by a business. If the director of the Division of Consumer Protection has reasonable cause to believe that substantial evidence exists that the business is in violation of the law, the director will then refer the matter to the Attorney General.


© 2023 McDermott Will & EmeryNational Law Review, Volume XII, Number 63

About this Author

David Saunders Cybbersec Attorney McDermott Will Emery Law Firm

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation.


David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on...

Austin Mooney Cybersecurity Attorney

Austin Mooney focuses his practice on global privacy, cybersecurity, and emerging technologies. A Certified Information Privacy Professional/Europe, he is experienced in helping clients navigate US and international data protection law, including the GDPR. He is well versed in consumer privacy actions, as well as in compliance issues with the Foreign Intelligence Surveillance Act (FISA) and other federal surveillance law. He counsels clients on a wide range of topics, including consumer protection law, cross-border data flows, and data breach response and prevention.


Cathy Lee IP Attorney McDermott Will & Emery

Cathy Lee focuses her practice on privacy and cybersecurity matters, including compliance and GDPR related matters.

Cathy’s experience encompasses, working with digital advertising companies to confirm compliance policies with the digital advertising ecosystem, as well as drafting training materials on the comprehensive data privacy laws globally including in Australia, Georgia, Hong Kong, Moldova, Montenegro, South Korea, Turkey and New Zealand.


During law school, Cathy was editor-in-chief for the American Intellectual Property Law Association Quarterly Journal...

202 756 8141