Thought Leadership

Utah Joins the Ranks of Other Early Adopters of New Data Privacy Regimes

March 11, 2022 Advisory

The data privacy world continues to undergo uncertainty when it comes to the data privacy regulatory landscape. For example, the newly formed California agency responsible for creating California Privacy Rights Act (CPRA) regulations recently announced that it will miss the July 1 deadline, pushing the regulations back until Q3 or Q4 ahead of the critical January 2023 effective date.

Adding to this uncertainty are a myriad of states that are revisiting data privacy legislation in 2022. In fact, Utah’s legislature recently passed the Utah Consumer Privacy Act (UCPA), becoming the fourth and most recent state to enact sweeping data privacy legislation. The Governor has 20 days from the date of receipt to act on the legislation, and if he does not sign or veto the legislation within this period, it will become law. While Utah’s law has vestiges of Colorado’s, Virginia’s and California’s data privacy statutes, there are a few distinct differences.

Similarities Between UCPA and Existing Regimes

Organizations required to comply with the UCPA can take some comfort in knowing much of it is borrowed from existing regulations. For example, the rights to access, review and request deletion of data are similar to other legislative schemes. Like the CCPA, Virginia’s Consumer Data Protection Act (CDPA) and the European Union’s General Data Protection Regulation (GDPR), companies are also required to enter into written agreements with third parties, vendors and service providers that process data on their behalf.

The UCPA’s consumer notice requirements are also reminiscent of existing privacy frameworks. Under the UCPA, data controllers must clearly disclose the categories of data being collected, the purpose for which the personal data is being collected, how collected data will be shared, and with whom it will be shared. They also must provide a mechanism for consumers to opt out of the sale of their data. Controllers must respond to a consumer’s request within 45 days.

Finally, like other existing regulations, the UCPA does not contain a private right of action—instead, the attorney general’s office is the sole enforcer and is responsible for notifying organizations of deficiencies. The UCPA allows for a 30-day cure period for the organization to cure the deficiency, after which point an enforcement action can be brought.  

Differences Between UCPA and Existing Regulations

While the jurisdictional scope of the legislation generally tracks the scope requirements from the CCPA in that it only applies to business with a gross annual revenue of $25 million, it differs from the CCPA (and other privacy frameworks) in that the company must also process the data of 100,000 individuals or derive more than 50% of its revenue from the sale of customer data. In other words, the UCPA requires two of three threshold criteria be met in order for the organization to be subject to the UCPA, rather than just one criterion, which is the case under the CCPA/CPRA and other state laws. This may make the initial determination of whether the organization must comply with the UCPA a longer analysis than under other states’ regimes, because the organization may wish to more closely analyze whether it meets the threshold requirements and is required to comply with the law.

Another significant difference from other privacy legislation is Utah’s attempt to allow the law to be changed outside of action by the state legislature. The provision allows the Utah Attorney General’s office to suggest changes to the legislation via an “enforcement assessment” which is due July 1, 2025. Proponents of the “enforcement assessment” argue that this will give the Attorney General’s office “an unusual opportunity to study how the law works and give feedback on what this law got right, and what we may need to fix.”

Summary of Current State Legislation

The table below contains an overview of some of the key differences and similarities between Colorado’s, Virginia’s and California’s data privacy regimes:

Utah (UCPA) Colorado (CPA) Virginia (CPDA) California (CPRA)
Effective Date December 31, 2023 July 2023 January 2023 January 2023 with a one-year compliance lookback
Companies Subject to the Law Companies that meet the following criteria:

-gross annual revenue of more than $25 million; and

-control or process personal data of 100,000 or more consumer during a calendar year; or derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers

Nonprofit entities and institutions of higher education are exempt.
Companies that meet either of the following:

- collect and store the personal data of more than 100,000 consumers; or

- derive revenue from the sale of personal data of at least 25,000 consumers

Nonprofit entities that meet the above thresholds are subject to the requirements.
Companies that meet either of the following:

- control or process the data of at least 100,000 consumers; or

- companies that control or process the data of at least 25,000 consumers and derive 50% of their revenue from the sale of personal data

Nonprofit entities are exempt.
Companies that meet any of the following:

- gross annual revenue of more than $25 million;

- annually buy, sell or share for cross-context behavioral advertising the personal information of 100,000 or more consumers or households; or

- derive more than 50% of revenue from selling or sharing for cross-context behavioral advertising personal information

Nonprofit entities are exempt.
Special Requirements for Sensitive Data? Yes Yes Yes Yes
Consumer Opt-Out Rights?
Yes – on a website-by-website basis Yes – compliance with a universal opt-out through a global privacy control browser setting required by July 2024 Yes – on a website-by-website basis Yes – on a website-by-website basis
Purpose/Processing Limitations Yes Yes Yes Yes
Requires a Risk Assessment or Data Protection Assessment? No Yes – for certain processing activities Yes – for certain processing activities Yes – for certain processing activities
Special Requirements for Youth Data? Yes – collection restrictions for children under 13 No Yes – collection restrictions for children under 13 Yes – processing restrictions for children under 16

AT’s Data Innovation, Privacy and Security practice has vast experience navigating all aspects of the complex data privacy regulatory scheme and regularly counsels clients – whether business-to-business, direct-to-consumer, e-commerce or anything in between – across a variety of sectors on data privacy obligations. For more information specific to your business needs, please contact one of the authors or your regular AT attorney.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware