We’ve got another one! Utah is now the fourth state to enact comprehensive consumer privacy legislation. Like California, Virginia, and Colorado, the Utah Consumer Privacy Act gives Utah consumers the right to know what personal information is being collected and the right to have such data deleted. The law, which is set to take effect December 31, 2023, will apply to businesses with revenue of $25 million or more that satisfy one or more of the following thresholds: (i) annually handles personal information of 100,000 or more Utah consumers per year, (ii) derives over 50% of gross revenue from the sale of personal information, or (iii) processes personal information of 25,000 or more Utah consumers.
The Utah law does not apply to governmental entities, tribes, higher education institutions, or nonprofits and does not cover protected health data under the Health Insurance Portability and Accountability Act or data collected or processed in accordance with the Gramm-Leach-Bliley Act.
In many respects, the Utah law is more business-friendly than its predecessors. There is no private right of action for violations, and covered companies are given 30-days to cure alleged violations before the Utah Attorney General can commence an enforcement action.
Utah’s law is the first to be passed in 2022, but we certainly expect to see more movement this year. Companies covered by this law or the laws in Virginia and Colorado (set to be effective January 1, 2023, and July 1, 2023, respectively) should begin assessing their to-do lists for compliance. Despite the overlap between these comprehensive privacy regimes, nuanced differences will require a careful look at each law to ensure compliance. Nixon Peabody’s Cybersecurity & Privacy Team can help develop efficient and compliant privacy programs.