A new consumer privacy law has been signed into law in Utah and will go into effect at the end of 2023, the fourth such state bill to pass. Although it compares in some ways to previous bills passed in California, Virginia and Colorado, Utah’s bill is the most business-friendly. Most SOEs won’t be large enough to be subject to the terms, and they don’t contain a private right of action or apply to government or nonprofit agencies.
Utah privacy law applies to less than 1% of state-owned enterprises
Given the initial threshold of at least $25 million in annual revenue, Utah’s consumer privacy law will likely apply to well under 1% of businesses in the state and mostly to international or national companies. In addition to generating more annual revenue than most state enterprises have ever achieved, organizations will need to tick at least one additional box from the following business-friendly list to be covered by the rules: they must either process the personal data of at least 100,000 people, or derive more than 50% of their revenue from the sale of personal data and actively process the personal data of at least 25,000 customers.
In addition to being business-friendly, non-profit entities are also almost entirely exempt from the terms of privacy law. Government agencies and offices, tribal organizations, nonprofits, and higher education will not be subject to any new privacy requirements under the new rules. Healthcare organizations already subject to the Health Insurance Portability and Accountability Act (HIPAA) and financial organizations already subject to Title V of the Gramm-Leach-Bliley Act are also exempt, as are any health records already subject to HIPAA rules.
Other business-friendly terms of privacy law not found in other states’ laws include the complete absence of data protection assessment requirements, the absence of private law of action for citizens to base class action lawsuits on the terms of the Privacy Act and a 30-day window given to companies to remedy violations before the Attorney General’s office can sue legal action.
Although the privacy law does not apply to the more than 99% of small businesses that make up Utah’s economy, it will impact one specific area of the state: “Silicon Slopes”, a sort of second Silicon Valley that has attracted some of the biggest names in technology. A number of major companies have a presence in the area just south of Salt Lake City, including eBay, Adobe Systems, SanDisk, and Qualtrics, among others. A number of these companies are already headquartered or have a major presence in California, which already has a much more restrictive privacy law in place, and often just handle data requests from across the country. according to California conditions, because it is simpler and less expensive than filtering. demands and come into conflict with consumers over data rights.
“Business-friendly” terms mitigate the impact of the bill
While there is bipartisan interest in pushing through a federal privacy bill, the issue seems to continue to be sidelined by one political distraction or another. While this process has dragged on for years, individual states have begun to take matters into their own hands. Utah’s privacy law shows just how much difference there can be from state to state.
Although the bill is the most business-friendly of the four that became law, it shares some consumer protections with its predecessors. Companies covered by its terms will need to allow consumers to opt out of the collection and use of personal data, provide access and the right to request deletion of certain data, be transparent about data collection and use, and require certain data safeguards. Consumers will be able to file complaints about data processing violations with the Consumer Protection Division.
Fines can be up to $7,500 per violation of privacy law. These funds should be directed to the state’s consumer privacy account, which is used for consumer education and conducting enforcement actions.
Utah’s privacy law gets the label of being business-friendly due to multiple thresholds of requirements to regulate, which filters the group of businesses it applies to more than bills of the other three states, and the fact that consumers will not be able to bring class action lawsuits based on enforcement actions taken under it (although the state attorney general has the right to seek judgments on their behalf).
However, state lawmakers have also said the privacy law should be seen as a “starting point” and that future amendments are possible that may not be as business-friendly. Utah’s Attorney General and Consumer Protection Division will be required to monitor the law’s effectiveness and file a report by early July 2025, giving it a year and a half of action at this stage.