Ride the Lightning

Utah’s ‘Business Friendly’ Privacy Act Signed  

April 19, 2022

CPO Magazine reported on April 13 that a consumer privacy act has been signed into law in Utah and takes effect on December 31, 2023, the fourth state privacy bill to be passed. While it compares in some terms to the prior bills passed in California, Virginia and Colorado, the Utah bill is the most business-friendly.

The Utah privacy act does not contain a private right of action nor does it apply to government or non-profit agencies. Health care organizations already subject to the Health Insurance Portability and Accountability Act (HIPAA) and finance organizations already subject to Title V of the Gramm-Leach-Bliley Act are also exempted, as are any health records already subject to HIPAA rules.

Given the initial threshold of at least $25 million in annual revenue, the Utah Consumer Privacy Act will probably apply to well under 1% of the state’s businesses and will mostly apply to international or nation-spanning firms. In addition to bringing in more annual revenue than most companies in the state ever reach, affected organizations must either handle the personal data of at least 100,000 people, or derive over 50% of their revenue from the sale of personal data and actively process the personal data of at least 25,000 customers.

Other business-friendly terms of the privacy act that are not found in the legislation of other states include a complete lack of data protection assessment requirements and an automatic 30-day window granted to companies to address violations before the attorney general’s office can bring an enforcement action.

Though there is bipartisan interest in getting a federal privacy bill passed, the issue seems to keep getting sidelined. As the federal government is dragging its feet, individual states have begun to take the matter into their own hands. The Utah privacy act demonstrates how much difference there can be from state to state.

Though the bill is the most business-friendly of the four that have become law, it does share some consumer protections with its predecessors. Companies that are covered by its terms will have to allow consumers to opt out of personal data collection and use, provide access to and the right to request deletion of certain data, be transparent about data collection and use, and require certain data safeguards. Consumers will be able to bring complaints about data processing violations to the Division of Consumer Protection.

Fines may be up to $7,500 per violation of the privacy act. These funds are to be directed to the state Consumer Privacy Account, which is used for consumer education and conducting enforcement actions.

State lawmakers have said that the privacy act is to be considered a “starting point” and that future amendments are possible that may not be as business-friendly. The Utah attorney general and the Division of Consumer Protection will be required to keep track of the effectiveness of the law and file a report by the beginning of July 2025.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson