Utah has become the fourth U.S. state to enact comprehensive consumer privacy legislation after
The law gives consumers the right to know what personal data is being collected and ask it be deleted. The Utah Consumer Privacy Act is more business-friendly than legislation passed in California, Virginia, and Colorado, with no private right of action and the ability for companies to cure alleged violations within a 30-day time frame before the attorney general could conduct an enforcement action.
The law, which takes effect Dec. 31, 2023, will apply to businesses with annual revenues of $25 million or more that satisfy one or more of the following thresholds: handles personal data of 100,000 or more consumers per year; derives over 50% of gross revenue from the sale of personal data; and processes personal data of 25,000 or more consumers.
It won’t apply to governmental entities, tribes, higher education institutions, nonprofits, covered entities and business associates under the Health Insurance Portability and Accountability Act, and financial institutions or affiliates governed by Title V of the Gramm-Leach-Bliley Act. The law also won’t apply to protected health data under HIPAA and data collected, processed, sold, or disclosed in accordance with the GLBA.
Unlike other state privacy legislation, the Utah law doesn’t require businesses to conduct data protection assessments for the processing of sensitive information.
Utah is the first state in 2022 to have passed such legislation. Proposals in Florida, Indiana, and Wisconsin that passed one chamber this year each failed after time ran out in those states’ legislative sessions.