Utah’s Consumer Privacy Act heads to the governor’s desk
After passing Utah’s House of Representatives on March 2, 2022, and pending minor procedural formalities, Utah SB 227, the Consumer Privacy Act, will head to Governor Spencer Cox’s desk for his nearly certain signature. With its passage, Utah will become the fourth state to enact a broad multi-rights privacy bill. The law will take effect on December 31, 2023.
SB 227, a narrower version of the Virginia Consumer Data Protection Act (CDPA), enjoyed broad political support, passing unanimously in both houses. Its departures from Virginia were animated by concerns among legislators that the bill guarantee similar consumer rights but minimize compliance costs on businesses.
The Utah law pares back several elements of the CDPA and broadens many of its exemptions. It also avoids some of the Colorado Privacy Act’s (CPA) features, such as the Global Privacy Control and the complex rulemaking, that expand Virginia’s scope.
The core elements of this law will be:
Consumer rights. SB 227 provides consumers the following rights: the right to access their personal data; the right to delete personal data that the consumer provided to the controller; the right to correct personal data; the right to port the consumer’s data to another entity; and the right to opt out of the sale of personal data as well as targeted advertising. The bill does not include the consumer right to request correction of personal data.
Virginia-style definition of sale. The bill defines “sale” as “the exchange of personal data for monetary consideration.” It avoids the confusing California Consumer Privacy Act (CCPA) definition and aligns with Virginia’s definition.
No appeals of consumer requests. Unlike the CDPA, SB 227 does not require data controllers to implement an appeals process when consumer requests are denied. Under SB 227, the denial of a consumer request does not trigger a requirement to engage in any appeals process, as it does in Virginia.
Broader exemptions. SB 227 builds on the language in the VCDPA stating that data controllers are not required to respond to consumer requests – not only if a controller suspects them to be fraudulent and excessively burdensome, but also if they are unfeasible to which to respond. It also specifies that disclosures of personal data at a consumer’s direction, or to provide requested products or services, are not treated as covered exchanges of this data under the law. Importantly, SB 227will be the first state privacy law to explicitly protect specified trade secrets from disclosure.
No Global Privacy Control. Unlike the CPA and California’s Consumer Privacy Rights Act (CPRA), SB 227 does not require controllers to honor Global Privacy Control signals that enable users to opt out of the sale of personal data and targeted advertising on their browser instead of a site managed by the controller.
Attorney General rulemaking. SB 227 avoids the complex rulemaking that California and Colorado will be undertaking. Instead, it provides that the Utah Attorney General's office may propose changes via an enforcement assessment. due July 1, 2025.
The law creates a novel, dual structure for enforcement when responding to consumer claims. First, the Utah Department of Commerce’s Consumer Protection Office will consider and investigate a claim. Only if deemed legitimate will the claim proceed to the state Attorney General’s Office, where the office may either concur with the Consumer Protection Office’s findings or reject the claim. Businesses also enjoy a right to cure under SB 227.
SB 227 is significant because it further isolates the CCPA and CPRA as models for other states and reduces some of the more burdensome compliance obligations provisions seen elsewhere. It is likely to provide a more streamlined model for state privacy legislation in other states, in this legislative session as well as next year.
For more information, please contact our data privacy team via PrivacyGroup@dlapiper.com.