Utah Privacy Legislation: What MSPs and MSSPs Need to Know
Utah is poised to become the latest state to jump on the privacy bandwagon. Indeed, the Utah Consumer Privacy Act (UCPA) passed both houses of the state legislature in early March 2022. Once Governor Spencer Cox signs the bill, Utah will become the fourth state—after California, Virginia, and Colorado—to enact comprehensive privacy legislation. In fact, the UCPA seems to borrow heavily from its predecessors, and in particular is very similar to Virginia’s Consumer Data Privacy Act (VCDPA). Businesses serving customers in Utah will need to plan to comply with the law by December 21, 2023.
The law applies to businesses (termed “controllers” or “processors,” a framework borrowed from the VCDPA ) that:
- Conduct business in Utah or produce a product or service that is targeted to consumers who are residents of Utah;
- has annual revenue of $25,000,000 or more; and
- control or process personal data of 100,000 or more consumers, or derive over 50% of their gross revenues from the sale of personal data and control or process the personal data of 25,000 or more consumers.
Notably, the law does not create a private right of action, and will be enforced exclusively by the Utah Attorney General.
The UCPA’s definition of “personal data” is the same as the VCDPA’s, defining it to include any data that is “linked or reasonably linkable” to an individual. The law gives consumers certain rights with respect to this data, including:
- The right to access personal data that a controller processes regarding the consumer;
- the right to delete data that the consumer provided to the controller;
- the right to obtain a copy of personal data; and
- the right to opt out of the sale of personal data.
The UCPA should not substantially alter the data privacy practices of businesses that are already in compliance with the data privacy legislation enacted by other states. In fact, the UCPA is narrower than other state privacy statutes in important respects. For example, the $25,000,000 revenue threshold distinguishes it from the VCDPA, which does not have a revenue threshold. And unlike the VCDPA, the UCPA does not give consumers the right to appeal denials of their requests under the statute. Nevertheless, the UCPA may create new obligations for some companies, and they should closely monitor any developments to ensure that business practices remain compliant with the law.