Utah Consumer Privacy Act Passes State Legislature
This week, the Utah legislature passed the Utah Consumer Privacy Act (SB 227). If enacted by Governor Spencer Cox, Utah will follow California, Virginia, and Colorado as the fourth U.S. state to establish a baseline regime for the protection of personal data. The law would come into effect in December 2023.
“While the Utah Consumer Privacy Act would create some new rights for Utah residents, it contains significantly fewer privacy protections than leading state frameworks. A national comprehensive law that sets strong baseline standards will be the only way to ensure that geography doesn’t determine individuals’ basic privacy rights.”Statement by Keir Lamont, Senior Counsel, Future of Privacy Forum
The Utah Consumer Privacy Act shares a similar structural framework for protecting personal information as legislation enacted in Virginia and Colorado. As such, it would be unlikely to introduce significant new compliance challenges for businesses that are already preparing for those laws, which come into effect in 2023.
However, Utah’s law would set significantly narrower individual rights and business obligations than privacy regimes enacted in other states.
- Individual Rights: The Act would create new rights for Utah consumers to access their information and delete personal data previously provided to a business. It would also provide individuals with the ability to opt-out of the processing of personal data for targeted advertising and sales. Diverging from existing state privacy laws, the Act lacks a right to correct inaccurate personal data or to opt-out of significant profiling decisions. Finally, unlike Virginia and Colorado, the Act would not require affirmative, opt-in consent for the collection and processing of sensitive data.
- Business Obligations: For covered businesses, the Act would create transparency requirements and new data security obligations. However, unlike other state privacy laws, the Act does not include a requirement to conduct data protection assessments. The Act also fails to include protections for civil rights and lacks FIPPs-style requirements for data minimization and limits on secondary use.
- Enforcement: The Act would delegate exclusive enforcement authority to the Utah Attorney General but would require a consumer complaint process, routed through the Division of Consumer Protection in the Utah Department of Commerce, prior to initiating an enforcement action.
The Utah Consumer Privacy Act is poised to secure some important new protections for Utah residents, such as access and deletion of certain personal information. However, given its limitations, the Act would not meaningfully advance individual privacy interests relative to approaches taken in other jurisdictions. The ultimate significance of the Utah Consumer Privacy Act may be that it represents an overall trend of U.S. states toward adopting privacy frameworks that are based upon the Virginia and Colorado laws, rather than following the lead of California.
Media Inquiries: [email protected]