The Utah Legislature passed a comprehensive privacy bill last week that would make it the fourth state to pass such a law. The bill is modeled after the Virginia bill that passed in 2021 and does not include a private right of action.
Lawmakers in 29 states and D.C. have considered comprehensive privacy bills in 2022, with bills approved in one chamber so far in Florida, Indiana, Oklahoma, Washington, and Wisconsin.
3/25/22 update: Utah's privacy bill was signed by the Governor on 3/24/22, making it the fourth state to enact comprehensive privacy legislation in the last few years.
Utah is poised to become the fourth state to enact a comprehensive privacy law after the legislature approved legislation (UT SB 227) last week. If it is not vetoed by Governor Spencer Cox (R) within 20 days after he receives the bill, it becomes law, taking effect on December 31, 2023. The governor has not indicated any opposition to the bill.
The measure, known as the Utah Consumer Privacy Act, is based largely on the model enacted by Virginia last year, but with some business-friendly changes. Like privacy laws enacted in California, Colorado, and Virginia, the Utah bill would give consumers several rights over the personal information collected by businesses, including the right to access that information, delete that information, obtain a portable copy of the information, and opt out of the processing of the information for targeted advertising or sale to a third party.
Differences from Other Privacy Laws
However, the Utah version would depart from previous privacy laws in a few key ways:
The bill would only target larger companies, by applying the law only to those businesses in the state that reaches the annual revenue threshold of $25 million and either (a) processes the data of at least 100,000 consumers or (b) derives 50 percent of gross revenues from the sale of data and control or process the data of at least 25,000 consumers. The privacy laws in Colorado and Virginia do not have annual revenue thresholds, and California’s law applies to both companies with $25 million in annual revenues, as well as companies that don’t meet the revenue threshold, but process the data of 50,000 consumers or derive 50 percent of revenues from the sale of data.
Unlike other states, the Utah bill would not give consumers a right to correct inaccurate personal information. The right to delete is also limited to just information the consumer provided to the business.
Consumers have the right to opt out of targeted advertising and the sale of information to third parties, but not the right to opt out of profiling, as the Virginia law provides. The bill also does not require businesses to recognize a global privacy control for opt-out requests like the California law.
Colorado and Virginia gave greater protections to certain “sensitive data,” requiring consent to be given before businesses processed that data. The Utah bill would not require consent before processing, only requiring notice to be given to the consumer with an opportunity to opt out. The Utah bill also provides that “sensitive data” does not include personal data that reveals racial or ethnic origin, if the personal data is processed by a video communication service provider, or information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis, if processed by a licensed health care provider.
The Utah bill does not include a private right of action and would instead require the Utah Division of Consumer Protection (DCP) to investigate consumer complaints. DCP can refer certain cases to the state attorney general and businesses will be given a 30 day period to cure any violations. The two offices will prepare a report on the effectiveness of this enforcement scheme by July 1, 2025.
Other State Privacy Legislation in 2022
Additional states could join Utah and pass comprehensive privacy legislation this year. Currently, lawmakers in 29 states and D.C. are debating privacy legislation.
Most legislation has seen little action, but a few states, highlighted below, have advanced legislation through one legislative chamber.
Indiana SB 358 passed its chamber of origin in early February, but failed to meet the deadline for a third reading in the House, and was not revived as the legislature adjourned this week.
Oklahoma HB 1602, which would require a consumer to opt in to have their information sold to a third party, passed the House last year but was bottled up in the Senate Judiciary Committee. That bill is technically still alive, but the sponsor has moved on to introduce OK HB 2969, which was amended to include much of the same language as HB 1602 and was unanimously approved by the House Technology Committee.
Wisconsin AB 957 was approved by the Assembly with mostly Republican support on a 59-37 vote but does not have a committee hearing scheduled in the Senate as they wind down their work with a scheduled adjournment set for March 10.