Logo
Media Centre

Utah Becomes the 4th US State to Enact a Comprehensive Data Protection Law

Ariel Yosefi

6 March 2022

Utah’s legislators have recently enacted a new and comprehensive privacy act – the Utah Consumer Privacy Act (“UCPA“). Utah is now the fourth state to enact a state privacy law in absence of a comprehensive federal privacy law, following California, Virginia and Colorado.

The law is materially similar to the abovementioned laws, and to Virginia’s recently enacted law (which we have previously reported about) in particular. However, the law is not identical to other state laws or similar advanced privacy laws, and although generally narrower in comparison to them in certain aspects, it would require certain adjustments of compliance efforts.

The new law would apply to all entities that conduct business in Utah, or produce a product or service that targets Utah’s residents, and meet the following thresholds:

  1. An annual gross revenue of over $25 million; and
  2. Either (1) the entity controls or processes personal data of over 100,000 Utah residents; or (2) derives over 50% of its gross revenue from the “sale” of personal data and controls or processes personal data of at least 25,000 Utah residents.

 

Similarly to the other state privacy laws, the UCPA contains exceptions for certain data categories and entities, such as those that are regulated under sectorial federal law (e.g. the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act). In addition, the UCPA excludes employment data and business-to-business contact information from its scope, following similar exclusions (some are permanent while others are only applicable in the transition period) in other state privacy laws.

 

Below are some of the key highlights of the UCPA:

  • Consumer rights: the UCPA provides consumers with rights in connection with their data, including the rights of access, deletion and portability. However, the UCPA does not provide consumers with the right to correct their personal data. In addition, the aforementioned rights are not absolute, and are limited by certain exceptions, such as for requests that are unreasonably burdensome requests, and for circumstances where the data is requited fraud detection or compliance with the businesses’ legal obligations.

 

  • Opt out: the UCPA also allows consumers to opt out of certain uses of their personal data, including targeted advertising and ‘sale‘ of personal data. However, the UCPA does not allow consumers to opt out of automated profiling. “Sale” is narrowly defined in the UCPA as “exchange of personal data for monetary consideration“, and disclosures of personal data to third parties is would be excluded, to the extent that such disclosures are consistent with the consumers’ reasonable expectations.

 

  • Sensitive data: as opposed to privacy laws that require affirmative consent for collection and processing of sensitive data, the UCPA requires businesses to provide consumers with a notice and an opportunity to opt-out of the use of sensitive data (which includes, inter alia, health, biometric and geolocation data).

 

  • Enforcement: The UCPA does not create a private right of action. The law will be exclusively enforced by Utah’s Attorney General, which is required to provide business with a 30 days’ cure period for any alleged violation (except for subsequent violations by the same business). Each violation of the UCPA could lead to fines of up to $7,500 per violation. Consumers’ complaints will be referred to the Attorney General through the Division of Consumer Protection in the Utah Department of Commerce, if the Division deems the complaint as legitimate.

 

The UCPA is still subject to Utah’s Governor’s signature, however approval without any changes is expected, as the law was approved by both the state’s House of Representatives and the Senate. The law is expected to enter into force on 31 December 2023.

The UCPA presents an important regulatory development for entities that conduct business in the Unites States in connection with personal data of Utah residents. Relevant businesses should examine their data flows and assess the UCPA’s applicability over them.

Feel free to contact us if you have any questions regarding the new law and its potential effects on your company’s compliance efforts.

Kind regards,

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search