Could Utah join it’s mountain neighbor Colorado and be the latest state to adopt a comprehensive data privacy law? On March 4, the Utah Senate unanimously passed Senate Bill (SB) 227 – the Utah Consumer Privacy Act (UCPA). It is now up to Utah’s Governor, Spencer Cox, to sign the bill into law – making Utah the fourth state (following California, Virginia and Colorado) to pass a data privacy law and join the ever-growing privacy party.

Introduced in February 2022, SB 227 sets forth several consumer data protection standards, including Utah consumers’ rights to their personal data, the responsibilities on businesses (called “controllers” and “processors”) to protect such data, and the authority of the Utah Attorney General to investigate and enforce violations of the new law. If the bill is passed, the law will go into effect on December 31, 2023.

Utah’s bill is reportedly modeled after the Virginia Consumer Data Protection Act (VCDPA).  Some notable features of the bill include:

  • Applicability. The threshold for applicability under the UCPA is similar to other state laws.  The law will apply to non-exempt entities that:

(i) Target products or services to citizens of, or conduct business in, Utah;

(ii) have at least $25,000,000 in annual revenue; and

(iii) satisfy one or more of the following thresholds:

        • during a calendar year, control or processes Personal Data of 100,000 consumers (i.e., individuals who are residents of Utah); or
        • derive 50% of gross revenue from the sale of Personal Data while controlling/processing Personal Data of 25,000 consumers.
  • Key Terms. The UCPA uses the term “Personal Data,” which is defined as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” The law specifically excludes “deidentified data, aggregated data, or publicly available information” from the definition. Additionally, the terms “Processor” and “Controller” are defined as they are in the VCDPA.
  • Consumer Rights. The UCPA gives consumers opt-out rights for Personal Data use in targeted ads and the sale of Personal Data, but NOT for automated profiling. There is a right to delete/obtain a copy of Personal Data, but this right is limited to only the data the consumer, itself, provides to the controller.
  • Sale of Personal Data. Unlike the California Consumer Privacy Act (CCPA), which construes the “sale” of personal information broadly, the UCPA defines “sale” as “the exchange of personal data for monetary consideration by a controller to a third party.” The UCPA also makes a unique carve out to what constitutes the “sale” of Personal Data. Under the Utah law, the context in which the Personal Data was provided is considered when determining whether a “sale” of data has occurred. A controller disclosing Personal Data to a third party for monetary compensation is NOT a “sale” under the UCPA “if the purpose is consistent with a consumer’s reasonable expectations.”
  • Enforcement. Notably, there is no private right of action under the UCPA. Thus, only the Utah Attorney General can enforce penalties against businesses for violating the UCPA. Fines for violations may not exceed$7,500 per violation.
  • Cure period. The bill also includes a 30-day right to cure. Following written notice from the Attorney General, entities will have 30 days to correct the violation under the UCPA.
  • Data Processing Agreement (DPA) requirement. The Utah law requires controllers and processors to enter into data processing agreements, but unlike the CCPA, the bill lacks specific processing requirements that must be addressed in the agreement.

Taft will continue to monitor any changes to Senate Bill 227 and keep you updated on such developments right here on Taft’s Privacy and Data Security Insights blog.  For more information on Senate Bill 227 and other data privacy questions, please contact Taft’s Privacy and Data Security Team.