The Utah Legislature has passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state for companies meeting certain thresholds.
The bill will apply to a data controller that conducts business in the state or produces products or services for consumer residents that also:
- Has annual revenue of $25,000,000 or more and controls or processes personal data of 100,000 or more consumers, or
- Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers.
Data processors must adhere to a data controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires data controllers to, among other things:
- Provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties)
- Disclose to a consumer if personal data is sold to third parties or if it engages in targeted advertising, how consumers may exercise their rights under the bill
- Avoid processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
Consumers will be able to, among other things:
(a) Confirm whether their personal data is being processed and access their data
(b) Delete their data
(c) Obtain a copy of their previously provided data; and,
(d) Opt out of the processing of their data for targeted advertising and the sale of their data.
The regulation contains many consumer rights but no private right of action. It gives the Division of Consumer Protection investigative power. It also grants the state attorney general exclusive authority to enforce the law. As well as, to seek penalties of up to $7,500 per violation plus recovery of reasonable investigation and litigation expenses.
SB 227 is similar to other state and international regulations such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the Virginia Consumer Data Protection Act (VCDPA). If signed, it would likely be effective December 31, 2023.