Support Centre

Utah

Summary

Law: Utah Consumer Privacy Act ('UCPA')

Regulator: The Utah Attorney General ('AG')

Summary: The Utah Governor signed, on 24 March 2022, the UCPA, making Utah the fourth State to enact comprehensive privacy legislation. The UCPA establishes consumers' rights around access, deletion, portability, and provides for the right to opt-out of targeted advertising and sale of personal data. The UCPA also establishes various controller and processor obligations, privacy notice requirements, and grants the AG exclusive authority to enforce its provisions. The UCPA will enter into effect on 31 December 2023.

In addition, House Bill 57 for the Electronic Information or Data Privacy Act ('the Act') entered into force on 14 May 2019, and protects third-party electronic information or data and provides that the presumed owner of the data, and therefore the person who may maintain a reasonable expectation of privacy in relation to the data, is the individual transmitting such data to a third party. Furthermore, Utah requires the notification of breaches of personal data to affected data subjects, with violations facing civil penalties of injunctive relief sought by the AG.

Insights

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

The Utah Senate passed, on 3 March 2022, Senate Bill ('SB') 227 for a Consumer Privacy Act ('UCPA') which was later signed by the Governor on 24 March 2022, making Utah the fourth State to enact comprehensive privacy legislation. The UCPA will enter into effect on 31 December 2023.

Notably, the UCPA establishes various controller and processor obligations, privacy notice requirements, and introduces several data subject rights.

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively. Three weeks later, on 24 March, Utah Governor Spencer Cox signed Senate Bill ('SB') 227 making it the fourth comprehensive State consumer privacy law in the US.

With an effective date of 31 December 2023, the UCPA joins the Colorado Privacy Act ('CPA'), the Virginia Consumer Data Protection Act ('CDPA'), and the California Consumer Privacy Act of 2018 ('CCPA') (effective now) and the California Privacy Rights Act of 2020 ('CPRA'), which all go into effect in 2023. Of course, in the spirit of US privacy law's rapid development, even at the publication of this Insight article, a fifth consumer State privacy law has just been signed in Connecticut, with similarities and small differences to its four predecessors. Samantha Ettari, Gabriella Gallego, Naa Kai Koppoe, Ellen Choi, and Charlotte Kress, from Perkins Coie, compare the content of the UCPA to the three other States where comprehensive State privacy laws have been passed.

Utah recently became the fourth U.S. State to pass comprehensive data privacy legislation, joining California, Colorado, and Virginia. The Utah Consumer Privacy Act ('UCPA') was signed into law on 24 March 2022. The UCPA will enter into force in December 2023, at the same time as California's second comprehensive privacy law - the California Privacy Rights Act of 2020 ('CPRA'), Colorado's privacy legislation - the Colorado Privacy Act ('CPA'), and Virginia's privacy law - the Virginia Consumer Data Protection Act ('CDPA'). Clifford F. Blair and Rachel Naegeli, from Kirton McConkie, compare the enforcement provisions of these four States' privacy statutes.

On 24 March 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act ('UCPA') into law, making Utah the latest State to adopt comprehensive privacy legislation. The UCPA - along with the California Privacy Rights Act of 2020 ('CPRA'), the Colorado Privacy Act ('CPA'), and the Virginia Consumer Data Protection Act ('CDPA') - make up a new wave of laws going into effect in 2023 ('the 2023 Laws') that will reshape the privacy landscape in the US.

The UCPA tracks closely with the CDPA, and it is unlikely to drastically impact the compliance regime for businesses subject to the other 2023 Laws or the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, the UCPA does include certain differences, largely in ways that narrow its application and lessen the burdens on controllers. In this sense, the UCPA may become a new model for more States that tend to lean more conservative and pro-business. In this article, Gregory Szewczyk, Partner at Ballard Spahr LLP, explores some of these differences.

On 24 March 2022, the Utah State Governor signed Senate Bill ('SB') 227, thereby enacting the Utah Consumer Privacy Act ('UCPA') and making Utah the fourth State in the US to pass a comprehensive privacy law, bringing it more in line with the likes of California, Colorado, and Virginia. Although the UCPA will enter into effect on 31 December 2023, giving businesses some time to consider its provisions and prepare, various considerations need to be made to understand the extent of the UCPA's requirements on businesses. As such, OneTrust DataGuidance highlights some of the key provisions, focusing on areas such as consumer rights, business obligations, and what to expect with regards to enforcement.

Utah has crossed the finish line in becoming number four on the #Patchwork2022 #GameOfLaws contest. Enter: Senate Bill 227 for a Consumer Privacy Act1 ('UCPA'), coming to a compliance department near you in December 2023.

On 24 March 2022, the Utah Governor signed into law the UCPA. The (surprising) fourth US state after California, Virginia, and Colorado to have a comprehensive data protection law, the UCPA borrows heavily both from the California Consumer Privacy Act of 2018 ('CCPA') and Virginia's Consumer Data Protection Act ('CDPA') but has more carve outs. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, considers the key things to think about and to do for companies who have not undergone a formal data protection compliance or which have undergone a CCPA or GDPR compliance plan.

Please note that this article was amended on 25 March 2022 to reflect the passing of the UCPA.

On 11 March 2021, Utah Governor, Spencer Cox, signed House Bill ('HB') 80 for the Cybersecurity Affirmative Defense Act ('the Act') into law, providing Utah's response to the concern regarding potential liability even for entities that have made a strong compliance effort. Clifford F. Blair and Rachel Naegeli, from Kirton McConkie, summarise its main provisions.

Feedback