The Utah legislature unanimously passed the Utah Consumer Privacy Act (S.B. 227) on March 3, 2022 — one day before it adjourned for its 64th session.

The bill, which was introduced on February 18, 2022, was eligible for consideration on the Senate floor less than a week later. On February 25, the Senate voted unanimously to pass the bill, moving it on to the House for approval, where it also passed unanimously after minor amendments.

The Senate confirmed the House’s amendments yesterday, despite a coalition of privacy groups urging the state Governor to return the bill to the legislature for further review.

The Fourth U.S. State Privacy Act

The bill now sits with the Governor who will have twenty days to decide whether to sign, not sign, or veto the bill. As it stands, S.B. 227 is set to become the fourth state privacy act in the United States following California, Virginia, and Colorado.

S.B. 227 shares several similarities with Virginia’s CDPA (VCDPA) and Colorado’s CPA (CPA). For example, the bill imposes separate obligations on a covered entity based on whether the entity serves as a controller or processor of consumer data.

The bill would apply to any controller or processor that does business in Utah or provides consumer products and/or services that are aimed at Utah residents; has a yearly revenue of $25,000,000 or more; and meets one or more of the following conditions:

Controls or processes the personal data of 100,000 or more consumers; or
Gains over 50% of its gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.

Exceptions Under the Utah Bill

The bill would not apply to government entities, employee data, nonprofit organizations, higher education institutions, tribes, or businesses covered under HIPAA.

Much like the privacy laws passed in the other three states, the bill would also not apply to information that is governed by the FCRA, the GLBA, or HIPAA.

Some other notable points to consider if the UCPA passes into law include that it would:

  • Provide consumers the right to access, correct, or delete personal data (with some exceptions) — as well as the right to opt out of certain processing activities, such as targeted advertising and the sale of personal data;
  • Apply the term “sensitive data” to the personal data of children (i.e., minors below the age of 13 in Utah);
  • Allow a parent or legal guardian of a child to exercise consumer rights on their behalf; and
  • Assign the Utah Attorney General enforcement powers, as opposed to granting consumers a private right of action like the forthcoming CPRA.

AG Enforcement of UCPA

As first reported by the IAPP, one detail that makes the UCPA stand out from the other state privacy laws is that it implements a two-step process for enforcement actions. First, a consumer would be required to file a claim with the Utah Department of Commerce’s Division of Consumer Protection. The division would then investigate the consumer’s claim for legitimacy and either approve or reject it based on its findings.

If the Division approves the consumer’s claim, it will submit it to the UT Attorney General’s office to determine whether to bring an enforcement action against the business. However, the AG must first provide written notice to the business and allow it 30 days to cure the violation. If the business fails to cure the violation, only then can the AG file an enforcement action against the business.

If signed into law, the UCPA will take effect on December 31, 2023. With the help of BigID, customers satisfy the compliance requirements set forth under the UCPA — such as accommodating and automating data subject requests, providing security and protection measures for sensitive consumer data, fulfilling opt-out requests for the sale of personal data or processing activities related to targeted advertising, and giving businesses the right tools to help them understand why and how they use the personal data that they collect from consumers. Find out more — and get a 1:1 BigID demo.