New Utah privacy law ‘lighter’ than predecessors

The Utah Consumer Privacy Act (S.B. 227) was signed into law March 24 by Gov. Spencer Cox (R). Utah joins California, Virginia, and Colorado as states with comprehensive laws that order companies that collect personal data to allow their customers to opt out of the collecting of certain data; to access and delete some types of data upon request; and to be transparent about why they collect data and whether it is sold to third parties.

The Utah law applies to companies conducting business in the state or that have Utah residents as customers. Covered entities must have at least $25 million in annual revenue, control or process the personal data of more than 100,000 customers, or derive 50 percent of revenue from the sale of personal data of at least 25,000 customers.

The law “guarantees rights to consumers while avoiding unnecessary regulation for corporations,” said Republican State Senator Kirk Cullimore, who sponsored the bill, in a statement. “This bill is a win for both Utahns and businesses, and I hope it will serve as a model for other states.”

Like Colorado and Virginia, Utah’s data privacy law does not include a private right of action, in which consumers are allowed to sue companies they believe have mishandled their data. All three state laws are scheduled to take effect in 2023: Virginia on Jan. 1, Colorado on July 1, and Utah on Dec. 31.

“Utah’s law is a bit lighter in terms of rigidity and fear factor.”

Tara Cho, Partner, Womble Bond Dickinson

California’s data privacy law, the California Consumer Privacy Act (CCPA), has been in effect since 2020 and does allow for a private right of action. There have been more than 200 CCPA-related cases filed as of March, according to law firm Perkins Coie. The CCPA will be replaced on Jan. 1, 2023, with the California Privacy Rights Act (CPRA), which will empower a new state agency called the California Privacy Protection Agency to promulgate rules and enforce the new law.

A total of 17 state legislatures currently have active consumer privacy bills in front of lawmakers, according to a state data privacy legislation tracker from the International Association of Privacy Professionals (IAPP).

There are some differences between Utah’s law and its predecessors in California, Colorado, and Virginia.

Utah’s law requires complaints about possible violations begin with the state’s Division of Consumer Protection, which would then refer complaints to the state attorney general. In California, Colorado, and Virginia, complaints begin with the state attorney general.

Utah’s law also does not require companies to correct data at a customer’s request—only delete it. Customers do not have the right against automated decision-making, as contained in Colorado’s and Virginia’s laws, according to the IAPP.

Another difference is the Utah law does not require companies to conduct a data protection assessment, according to Tara Cho, partner with law firm Womble Bond Dickinson. California’s, Virginia’s, and Colorado’s laws each require companies to conduct an assessment that lists steps taken to keep customers’ personal information safe.

“Utah’s law is a bit lighter in terms of rigidity and fear factor,” Cho said.

Alex Nisenbaum, partner with law firm Blank Rome, said Utah’s law might “herald a path forward for more business-friendly comprehensive privacy laws,” noting the Utah law scales back multiple requirements that are part of other state privacy laws.

Cho said many companies likely won’t specifically seek to comply with the particulars of Utah’s law but will fulfill data privacy requests from customers anywhere in the country.

“Most of them don’t want to have an emailed back-and-forth about why they are denying a request based on jurisdiction or don’t have the resources to do so,” she said. “They’d just rather offer the rights universally, regardless of state residency.”

Nisenbaum agreed with that assessment.

“The biggest question we get from clients is what do I have to do in terms of a high-water mark so I don’t have to use five different internal mechanisms to comply with five laws,” he said. “Companies may not find it worthwhile to screen out whether a request is coming from California versus another jurisdiction with similar but slightly different rights.”