Support Centre

Utah

Summary

Law: Utah Consumer Privacy Act ('UCPA')

Regulator: The Utah Attorney General ('AG')

Summary: On March 24, 2022, the Utah Governor signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth state to enact comprehensive privacy legislation. The UCPA establishes consumers' rights to access, deletion, portability, and provides for the right to opt out of targeted advertising and sale of personal data. The UCPA also establishes various controller and processor obligations, privacy notice requirements, and grants the Utah Attorney General (AG) exclusive authority to enforce its provisions. The UCPA entered into effect on December 31, 2023.

In addition, House Bill 57 for the Electronic Information or Data Privacy Act (the Act) entered into force on May 14, 2019, and protects third-party electronic information or data and provides that the presumed owner of the data (the person who may maintain a reasonable expectation of privacy in relation to the data) is the individual transmitting such data to a third party. Furthermore, Utah requires the notification of breaches of personal data to affected data subjects, with violations facing civil penalties of injunctive relief sought by the AG.

The Utah Division of Consumer Protection has also requested public comments on the Utah Social Media Regulation Act Rule (the SMRA Rule). This follows the passage of the Social Media Regulation Act on May 3, 2023, which establishes age verification procedures for access to social media platforms alongside accompanying rules on parental consent and principles of processing.

You can follow legislative developments in the US through the USA State Law Tracker.

News

Insights

August 2024

Utah: AI law seeks to balance consumer protection and innovation

The Utah Artificial Intelligence Policy Act (UAIP) entered into force on May 1, 2024. Romaine Marshall and Jennifer Bauer, from Polsinelli PC, take a look at the UAIP and what this law seeks to achieve.

April 2024

Utah: 2023 privacy updates

The Utah Consumer Privacy Act (UCPA), which entered into force on December 31, 2023, functions as comprehensive privacy legislation in Utah. However, the Utah State legislature has been active in both amending state privacy legislation and providing for new additions. OneTrust DataGuidance provides an overview of legislation that accompanies the UCPA and developments in the Utah privacy framework, with comments provided by Clifford Blair, Shareholder at Kirton McConkie.

March 2024

Utah: An overview of the Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA)1, which went into effect on December 31, 2023, was signed into law on March 24, 2022, by Utah Governor Spencer Cox. When the UCPA was enacted, California, Colorado, and Virginia were the only states with enacted comprehensive privacy laws. Since then, 11 other states – Connecticut, Iowa, Indiana, Tennesse, Montana, Florida, Texas, Oregon, Delaware, New Jersey and New Hampshire - have also enacted privacy laws. Though the UCPA shares many similarities with other state laws, its narrower scope, limited offering of consumer rights, and lack of a Data Protection Assessment (DPAs) requirement make it potentially less onerous for businesses. Brian Yin, Paige Burris, and Inna Jackson from Clifford Chance, provide a deep dive into the UCPA, including who must comply with it and what data it covers, as well as its provisions for consumer rights and the duties of controllers. 

December 2022

USA: Practical considerations for meeting opt-out requirements under US state privacy laws - Part two

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

December 2022

USA: Practical considerations for meeting opt-out requirements under US state privacy laws - Part one

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

December 2022

Utah: UCPA - FAQs

The Utah Senate passed, on 3 March 2022, Senate Bill ('SB') 227 for a Consumer Privacy Act ('UCPA') which was later signed by the Governor on 24 March 2022, making Utah the fourth State to enact comprehensive privacy legislation. The UCPA will enter into effect on 31 December 2023.

Notably, the UCPA establishes various controller and processor obligations, privacy notice requirements, and introduces several data subject rights.

November 2022

USA: Cookie regulation in California, Virginia, Utah, Colorado, and Connecticut - towards a harmonised approach

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

May 2022

USA: UCPA compared with CPA, CPDA, and CPRA

Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively. Three weeks later, on 24 March, Utah Governor Spencer Cox signed Senate Bill ('SB') 227 making it the fourth comprehensive State consumer privacy law in the US.

With an effective date of 31 December 2023, the UCPA joins the Colorado Privacy Act ('CPA'), the Virginia Consumer Data Protection Act ('CDPA'), and the California Consumer Privacy Act of 2018 ('CCPA') (effective now) and the California Privacy Rights Act of 2020 ('CPRA'), which all go into effect in 2023. Of course, in the spirit of US privacy law's rapid development, even at the publication of this Insight article, a fifth consumer State privacy law has just been signed in Connecticut, with similarities and small differences to its four predecessors. Samantha Ettari, Gabriella Gallego, Naa Kai Koppoe, Ellen Choi, and Charlotte Kress, from Perkins Coie, compare the content of the UCPA to the three other States where comprehensive State privacy laws have been passed.

May 2022

Utah: Enforcement under UCPA compared with State privacy laws

Utah recently became the fourth U.S. State to pass comprehensive data privacy legislation, joining California, Colorado, and Virginia. The Utah Consumer Privacy Act ('UCPA') was signed into law on 24 March 2022. The UCPA will enter into force in December 2023, at the same time as California's second comprehensive privacy law - the California Privacy Rights Act of 2020 ('CPRA'), Colorado's privacy legislation - the Colorado Privacy Act ('CPA'), and Virginia's privacy law - the Virginia Consumer Data Protection Act ('CDPA'). Clifford F. Blair and Rachel Naegeli, from Kirton McConkie, compare the enforcement provisions of these four States' privacy statutes.

April 2022

Utah: UCPA compared with State privacy laws and GDPR

On 24 March 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act ('UCPA') into law, making Utah the latest State to adopt comprehensive privacy legislation. The UCPA - along with the California Privacy Rights Act of 2020 ('CPRA'), the Colorado Privacy Act ('CPA'), and the Virginia Consumer Data Protection Act ('CDPA') - make up a new wave of laws going into effect in 2023 ('the 2023 Laws') that will reshape the privacy landscape in the US.

The UCPA tracks closely with the CDPA, and it is unlikely to drastically impact the compliance regime for businesses subject to the other 2023 Laws or the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, the UCPA does include certain differences, largely in ways that narrow its application and lessen the burdens on controllers. In this sense, the UCPA may become a new model for more States that tend to lean more conservative and pro-business. In this article, Gregory Szewczyk, Partner at Ballard Spahr LLP, explores some of these differences.

March 2022

Utah: Utah Consumer Privacy Act – What you need to know

On 24 March 2022, the Utah State Governor signed Senate Bill ('SB') 227, thereby enacting the Utah Consumer Privacy Act ('UCPA') and making Utah the fourth State in the US to pass a comprehensive privacy law, bringing it more in line with the likes of California, Colorado, and Virginia. Although the UCPA will enter into effect on 31 December 2023, giving businesses some time to consider its provisions and prepare, various considerations need to be made to understand the extent of the UCPA's requirements on businesses. As such, OneTrust DataGuidance highlights some of the key provisions, focusing on areas such as consumer rights, business obligations, and what to expect with regards to enforcement.

March 2022

Utah: UCPA - What to do if you are unregulated, a CCPA 'business', or a GDPR data controller?

Utah has crossed the finish line in becoming number four on the #Patchwork2022 #GameOfLaws contest. Enter: Senate Bill 227 for a Consumer Privacy Act1 ('UCPA'), coming to a compliance department near you in December 2023.

On 24 March 2022, the Utah Governor signed into law the UCPA. The (surprising) fourth US state after California, Virginia, and Colorado to have a comprehensive data protection law, the UCPA borrows heavily both from the California Consumer Privacy Act of 2018 ('CCPA') and Virginia's Consumer Data Protection Act ('CDPA') but has more carve outs. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, considers the key things to think about and to do for companies who have not undergone a formal data protection compliance or which have undergone a CCPA or GDPR compliance plan.

Please note that this article was amended on 25 March 2022 to reflect the passing of the UCPA.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.