On March 3, 2022, the Utah House of Representatives unanimously passed a consumer privacy bill which the Utah Senate passed earlier this year. The bill, entitled the Utah Consumer Privacy Act, still has several hurdles to jump through before becoming law. Leaders from both legislative chambers will need to provide their signatures before the 2022 session adjournment on March 4, 2022; following those signatures, Utah Governor Spencer J. Cox has 20 days to sign or veto the bill before it becomes law. Despite these remaining hurdles, the bill is widely expected to become the fourth comprehensive state consumer privacy law in the United States and the first such bill to become law in 2022.

IN DEPTH

The Utah Consumer Privacy Act would apply to businesses who:

1. Conduct business in Utah or produce a product or service targeted to Utah residents;

2. Have an annual gross revenue of over $25 million; and

3. Either (i) control or process the personal data of at least 100,000 residents or (ii) derive over 50% of its gross revenue from the “sale” of personal data and controls or processes personal data of at least 25,000 residents.

The Act’s applicability would make it narrower than any currently enacted state privacy law to date. And as with other state laws, the Act contains broad exceptions for certain entities and data categories, including higher education institutions, nonprofits, and information and entities regulated by both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).

The Act, which is scheduled to take effect on December 31, 2023, includes many of the same rights, obligations and exceptions that have become common in other consumer privacy laws and proposals:

• The Act provides consumers with the now well-known rights of notice, access, portability and deletion. These rights, however, are limited by reasonable business-use exemptions, such as detecting fraud and complying with a company’s legal obligations. Notably, the Act does not provide consumers with the right to correction.

• Like other laws, the Utah Consumer Privacy Act allows consumers to opt-out of the use of their information for certain purposes, including targeted advertising and the sale of personal information. Unlike other state laws, the Utah Consumer Privacy Act does not allow consumers to opt-out of automated “profiling.”

• The “personal information” protected by the bill includes information that is linked or reasonably linkable to an identified or identifiable individual. “Personal information” does not include deidentified, aggregated or publicly available information.

• The Act would exclude employee data and business-to-business contact information from its scope, following similar exclusions in other states.

• The Act creates a category of “sensitive” information, which includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health, biometric or genetic data, and geolocation data. However, instead of following the Virginia/Colorado model and requiring opt-in consent for the collection and processing of sensitive information, the Act would require businesses to provide notice and an opportunity to opt out of the use of “sensitive” data.

• The Utah Consumer Privacy Act is exclusively enforced through actions by the Utah Attorney General. The law does not provide for a private right of action.

• The Act grants the Utah Department of Commerce Division of Consumer Protection the power to investigate consumer complaints regarding the processing of their personal information by a business. If the director of the Division of Consumer Protection has reasonable cause to believe that substantial evidence exists that the business is in violation of the law, the director will then refer the matter to the Attorney General.