U.S. Privacy Law Update: Utah Joins Growing List of States with Comprehensive Privacy Laws as More States See Potential Changes
March 11, 2022
Click for PDF
Utah is set to join California, Virginia and Colorado in enacting comprehensive data privacy legislation. Although Utah’s law largely follows Virginia and Colorado models, with a few provisions that may ease the burden on businesses, it adds to an increasingly active state legislative landscape. Meanwhile, California is proposing changes to its landmark privacy law as other states move forward in debating or updating their own data privacy laws. Businesses must take these changes into account when developing programs to comply with the laws.
Utah Consumer Privacy Act
In Utah, the legislature unanimously passed the Utah Consumer Privacy Act. Once the bill reaches the governor’s desk, he will have 20 days to sign or veto it or it will automatically become signing law if the governor vetoes the bill, the legislature has enough of votes to override the veto, given that it was adopted unanimously. Once enacted, the new law will enter into force according to its terms on December 31, 2023,—about a year after similar laws in Colorado and Virginia went into effect. Similar to other laws, the new law applies to companies that (1) conduct business in Utah or target consumers in the state, (2) have annual sales of $25 million or more and (3) either (a) process or control the personal data of 100,000 or more Utah consumers or (b) process or control the personal data of 25,000 or more Utah consumers and derive 50% or more of their gross income from the sale of personal data.
Although the law in Utah is similar to the laws in Virginia and Colorado, there are a few differences that may make the law easier for businesses to follow. For example, like Virginia and Colorado, Utah does not include a private right of action in its law, although the Attorney General can seek statutory damages, as described in more detail below. However, unlike Virginia and Colorado laws, Utah law does not require companies to conduct and document data protection assessments of their data handling practices. Utah also does not require companies to establish a mechanism for consumers to appeal a company’s decision regarding a consumer’s request to exercise any of their personal data rights. Finally, Utah law makes it easier to charge fees to respond to consumer requests. Specifically, companies may charge fees when responding to consumer requests to exercise their personal data rights in Virginia only if such requests are “manifestly unfounded, excessive, or repetitive.” or Colorado only if a second application is made within a 12 month period. But Utah allows companies to charge a fee in both of these situations as well as when the company “reasonably believes the primary purpose for submitting the request was other than to exercise a right” or is harassing. , disruptive or imposes an excessive load on the controller. .
As for enforcement, while the Utah Consumer Protection Division can investigate potential violations, Utah law, like that of Colorado and Virginia, limits enforcement to the prosecutor. general of the state. The Attorney General must give companies at least 30 days to remedy before taking action. If the Attorney General brings such an action, he may collect statutory damages of up to $7,500 per violation or actual damages.
Developments in other states
As Utah moves forward with its new privacy law, California lawmakers have launched proposals to expand the business-to-business and employment-related exemptions in the California Consumer Privacy Act (“CCPA “). Under these exemptions, the CCPA generally does not apply to employment-related data or data involved in business-to-business transactions for the purposes of due diligence or to provide a good or service. The California Privacy Rights Act (“CPRA”) is currently set to end these exemptions on January 1, 2023. But bills introduced in California would extend these exemptions either until January 1, 2026, either in accordance with the alternative bill, indefinitely.
California isn’t the only state to update its comprehensive data privacy law. The Colorado Attorney General recently announced that a formal notice of proposed regulation under the Colorado Privacy Act will be issued this fall to prepare regulations to be implemented by January 2023. In the meantime, town halls and meetings are scheduled to collect comments on these regulations. .
Other states are moving quickly to join California, Colorado, Virginia and Utah. Data privacy laws were passed by committees or chambers this year in Indiana, Iowa, Florida, Massachusetts, Ohio, Washington, and Wisconsin, and many other states are also considering legislate. While the precise contours of these laws – and how many, if any more this year, will be enacted, and when – remain in flux, the enactment of national privacy laws has already ushered in notable regulatory changes affecting privacy. how companies collect and manage data while imposing a host of new obligations and potential responsibilities across the country. Companies would benefit from focusing their compliance programs accordingly.
We will continue to monitor developments in this area and are available to discuss these issues as they apply to your particular business.
 Utah Consumer Privacy Act (“UCPA”), SB 227, 2022 Leg. Sess. (Utah 2022).
 UCPA, § 17.
 UCPA, § 3, 13-61-102(1).
 To see Colorado Privacy Act (“CPA”), SB 21-190, § 6-1-1309, 73d Leg., 2021 Regular Sess. (Colombia 2021); Virginia Consumer Data Protection Act (“VCDPA”), SB 1392, § 59.1-576, 2021 Spec. Sess. (Virginia 2021).
 To see PCA, 6-1-1306(3)(a); VCDPA, § 59.1-573(C).
 VCDPA, § 59.1-573(B)(3).
 CPA, § 6-1-1306(2)(c).
 UCPA, § 7, 13-61-203(4)(b)(i)(B)-(C).
 UCPA, § 13, 13-61-305; § 13, 13-61-401; § 14, 13-61-402(1)-(2).
 UCPA, § 14, 13-61-402(3)(b)-(c).
 UCPA, § 14, 13-61-402(3)(d).
 To see AB 2871, 2021–2022 Reg. Sess. (California 2022); AB 2891, 2021–2022 Reg. Sess. (California 2022).
This alert was prepared by Ryan T. Bergsieker, Cassandra Gaedt-Sheckter, Eric M. Hornbeck and Alexander H. Southwell.
Gibson Dunn attorneys are available to answer any questions you may have regarding these developments. Please contact the Gibson Dunn attorney you usually work with, the authors, or any member of the firm’s Data Privacy, Cybersecurity and Innovation practice group:
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, DC (+1 202-887-3786, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, DC (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, DC (+1 202-887-3674, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])
© 2022 Gibson, Dunn & Crutcher LLP
Publicity for Lawyers: The enclosed materials have been prepared for general information purposes only and are not intended to provide legal advice.