On March 24, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act, which gives state residents the right to know what personal information businesses collect about them, to require businesses to delete their personal information, and to opt out of the sale of their data or its use in targeted advertising. Utah joins California, Virginia, and Colorado in the growing club of states with similar consumer privacy laws. The law follows the general contours of its statutory progenitor, the California Consumer Privacy Act (CCPA), but in many ways is less burdensome to business. The law takes effect December 31, 2023.

The Utah law applies to for-profit companies that do business in Utah or target products or services at residents of the state, have annual revenue of $25,000,000 or more, and either: a) control or process personal data of at least 100,000 Utah residents in a calendar year or b) derive over 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 Utah residents. There are numerous exceptions to the law’s applicability, including for entities and information regulated by HIPAA and the Gramm-Leach-Bliley Act.

In broad strokes, the Utah law gives consumers (defined as residents of Utah “acting in an individual or household context” and not “an employment or commercial context”) the rights to:

  • Confirm whether a controller is processing the consumer’s personal data.
  • Access that personal data.
  • Delete personal data that the consumer provided to the controller.
  • Obtain a copy of personal data that the consumer previously provided to the controller, in a format that is portable, readily useable, and transferable to another controller.
  • Opt out of the sale of the consumer’s personal data or its processing for targeted advertising.
  • Opt out of the processing of “sensitive data” collected from the consumer.

“Sensitive data” is defined as personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status; or information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data. Sensitive data does not include data that reveals racial or ethnic origin if the personal data is processed by a video communication service, or data processed by a licensed health care provider.

The law allows businesses to prescribe the means by which consumer requests are made, but requires businesses to take action on a request, and inform the consumer of that action, within 45 days of the request (extendable by one additional 45-day period). Controllers need not comply with a request if it appears to be fraudulent or the controller cannot authenticate it using commercially reasonable means. A controller may not charge a fee for responding to a request unless the request is the consumer’s second or more in a 12-month period. In addition, a controller can refuse to act on a request or can charge a reasonable fee to cover administrative costs of complying, if the request is “excessive, repetitive, technically infeasible, or manifestly unfounded,” “the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right,” or “the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller’s business.” However, a controller who relies on one of these grounds for rejecting a request or for charging a fee bears the burden of demonstrating that one of these grounds applies.

Controllers are also required to provide consumers with “a reasonably accessible and clear privacy notice” that includes: “(i) the categories of personal data processed by the controller; (ii) the purposes for which the categories of personal data are processed; (iii) how consumers may exercise a right; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data.” A controller must also provide clear notice to consumers if it processes sensitive data. If a controller sells personal data or engages in targeted advertising, it must “clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out” of such sales or advertising.

Notably, some of the key terms in the Utah law are defined more narrowly than in the CCPA, potentially lessening some of the burden on businesses. “Sale” or “sell” means “the exchange of personal data for monetary consideration by a controller to a third party.” “Targeted advertising” means “displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests,” but does not include advertising “based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application,” among other things. “Third party” means “a person other than the consumer, controller, or processor and other than an affiliate or contractor of the controller or the processor.”

The law prohibits controllers from discriminating against consumers for exercising a right by denying a good or service to the consumer, charging a different price or rate, or providing the consumer a different level of quality of a good or service. However, controllers may offer a different price, rate, level, quality or selection if the consumer has opted out of targeted advertising or if the offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, or similar program. A controller also is not required to provide a product, service, or functionality to a consumer if the consumer does not provide his or her personal data or allow its processing, but that data is reasonably necessary for the controller to provide the product, service, or functionality.

In addition to providing state residents with the rights and disclosures described above, the Utah law requires controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to…protect the confidentiality and integrity of personal data…and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.”