A new consumer privacy act has been signed into law in Utah and takes effect as 2023 ends, the fourth state bill of this nature to be passed. While it compares in some terms to the prior bills passed in California, Virginia and Colorado, the Utah bill is the most business-friendly of the bunch. Most state businesses will not be large enough to be subject to the terms, and it does not contain a private right of action nor apply to government or non-profit agencies.
Utah privacy act applies to under 1% of state businesses
Given the initial threshold of at least $25 million in annual revenue, the Utah Consumer Privacy Act will likely apply to well under 1% of the state’s businesses and mostly international or nation-spanning firms. In addition to bringing in more annual revenue than most companies in the state ever reach, organizations will have to tick at least one additional box from the following business-friendly list to be covered by the rules: they must either handle the personal data of at least 100,000 people, or derive over 50% of their revenue from the sale of personal data and actively process the personal data of at least 25,000 customers.
In addition to being business-friendly, not-for-profit entities are also almost entirely exempt from the privacy act terms. Government agencies and offices, tribal organizations, non-profits, and higher education will not be subject to any new privacy requirements under the new rules. Health care organizations already subject to the Health Insurance Portability and Accountability Act (HIPAA) and finance organizations already subject to Title V of the Gramm-Leach-Bliley Act are also exempted, as are any health records already subject to HIPAA rules.
Other business-friendly terms of the privacy act that are not found in the legislation of other states include a complete lack of data protection assessment requirements, no private right of action for citizens to base class action lawsuits on the privacy act’s terms, and an automatic 30-day window granted to companies to address violations before the attorney general’s office can bring an enforcement action.
While the privacy act will not apply to the 99%+ of small businesses that make up the Utah economy, it will have an impact in one specific area of the state: the “Silicon Slopes,” something of a second Silicon Valley that has attracted some of tech’s biggest names. A number of major firms have a presence in the area just south of Salt Lake City including eBay, Adobe Systems, SanDisk, and Qualtrics among others. A number of these companies are already headquartered or have a major presence in California, which has a much more restrictive privacy act already in effect, and often simply handle data requests from around the country under California terms as it is simpler and more inexpensive than filtering requests and getting into disputes with consumers about data rights.
“Business-friendly” terms soften impact of bill
Though there is bipartisan interest in getting a federal privacy bill passed, the issue seems to keep getting sidelined by one political distraction or another. As this process drags on for years, individual states have begun to take the matter into their own hands. The Utah privacy act demonstrates how much difference there can be from state to state.
Though the bill is the most business-friendly of the four that have become law, it does share some consumer protections with its predecessors. Companies that are covered by its terms will have to allow consumers to opt out of personal data collection and use, provide access to and the right to request deletion of certain data, be transparent about data collection and use, and require certain data safeguards. Consumers will be able to bring complaints about data processing violations to the Division of Consumer Protection.
Fines can run up to $7,500 per violation of the privacy act. These funds are to be directed to the state Consumer Privacy Account, which is used for consumer education and conducting enforcement actions.
The Utah privacy act is getting the label of being business-friendly due to the multiple thresholds of requirements to be regulated by it, something that filters out the pool of companies it applies to more than the bills in the other three states, and the fact that consumers will not be able to organize class action lawsuits on the basis of enforcement actions taken under it (though the state attorney general is granted the right to seek judgments on their behalf).
However, state lawmakers have also said that the privacy act is to be considered a “starting point” and that future amendments are possible that may not be as business-friendly. The Utah attorney general and the Division of Consumer Protection will be required to keep tabs on the effectiveness of the law and file a report by the beginning of July 2025, giving it a year and a half in action at that point.