Overview
On March 24, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act, which gives state residents the right to know what personal information businesses collect about them, to require businesses to delete their personal information, and to opt out of the sale of their data or its use in targeted advertising. Utah joins California, Virginia, and Colorado in the growing club of states with similar consumer privacy laws. The law follows the general contours of its statutory progenitor, the California Consumer Privacy Act (CCPA), but in many ways is less burdensome to business. The law takes effect December 31, 2023.
The Utah law applies to for-profit companies that do business in Utah or target products or services at residents of the state, have annual revenue of $25,000,000 or more, and either: a) control or process personal data of at least 100,000 Utah residents in a calendar year or b) derive over 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 Utah residents. There are numerous exceptions to the law’s applicability, including for entities and information regulated by HIPAA and the Gramm-Leach-Bliley Act.
In broad strokes, the Utah law gives consumers (defined as residents of Utah "acting in an individual or household context" and not "an employment or commercial context") the rights to:
- Confirm whether a controller is processing the consumer’s personal data.
- Access that personal data.
- Delete personal data that the consumer provided to the controller.
- Obtain a copy of personal data that the consumer previously provided to the controller, in a format that is portable, readily useable, and transferable to another controller.
- Opt out of the sale of the consumer's personal data or its processing for targeted advertising.
- Opt out of the processing of "sensitive data" collected from the consumer.