Utah has enacted a privacy law, after its House and Senate unanimously passed the Utah Consumer Privacy Act. Governor Spencer Cox signed the legislation, which means Utah joins California, Colorado and Virginia as the only states in the nation that have given the nod to comprehensive privacy statutes.
While the UCPA borrows from the California Consumer Privacy Act—understood to be the strictest data privacy law in the U.S.–Utah’s version is narrower in scope and more business-friendly.
In terms of its application, the UCPA impacts only those companies that do all of the following:
- Operate in Utah or target Utah residents
- Earn revenue in excess of $25 million; and
- Control or process personal data of 100,000 or more consumers per calendar year OR earn 50%+ of gross revenue from selling personal data and control or process data of at least 25,000 consumers.
For its part, the CCPA also includes a $25 million revenue threshold for it to be triggered, but in California, this is a standalone basis for application.
Rights Under the UCPA
Pursuant to the UCPA, consumers are able to (1) confirm that a business is processing their personal data and (2) maintain the ability to access it (the so-called right of access). Likewise, they have the right to delete personal data that has been provided to a business. The Act provides for the right of data portability as well (e.g., consumers can obtain copies of data that a business controls, which data must be portable, usable and transmittable to other businesses). There is more. Like the privacy laws in effect in CA, CO and VA, consumers in Utah have the right to opt-out of the processing of their data for purposes of targeted advertising or the sale of data.
These primary rights are in addition to the other consumer protections set forth in the legislation. That being said, Utah’s version of the privacy law has been characterized as being easier on businesses than—say—the CCPA, particularly given its omission of a private right of action. Along these same lines, the UCPA does not include a right allowing consumers to correct inaccuracies to their personal data, nor does it impose a mandate upon businesses to conduct and document risk assessments about their internal data processing practices.
The law in Utah includes broader exemptions than the CCPA does. In fact, the UCPA exempts tribes, institutions of higher education and nonprofits from its grips, among other entities. Note that these exemptions are on top of those that apply to entities and information covered under the Health Insurance Portability and Accountability Act of 1996 (HIPPA), the Family Educational Rights and Privacy Act (FERPA) and the Gramm-Leach-Bliley Act (GLBA).
Regulation and Enforcement
The UCPA does not authorize Utah’s attorney general—or any other state official or agency—to issue related regulations (this is something that is permitted under the CCPA). Still, the AG’s office does can propose changes to the law (if enacted) by way of an enforcement assessment due on July 1, 2025.
Regarding enforcement, the burden will fall upon Utah’s AG to pursue actions referred by the Division of Consumer Protection (which is within the Utah Department of Commerce), the body tasked with investigating potential violations of the law. Actual damages and penalties not to exceed $7,500 per violation can be assessed by the attorney general, but only after a 30-day notice and right to cure period.
Companies doing business in Utah will want to revisit their consumer data collection policies and procedures to ensure compliance with the law—this so as to avoid potential regulatory enforcement actions and exposure to damages and penalties.
Of course, the privacy lawyers at Michelman & Robinson, LLP will continue to monitor the privacy law landscape in Utah and beyond.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.