Last week, the Utah House of Representatives unanimously passed a consumer privacy bill -- the Utah Consumer Privacy Act -- moving it one step closer to becoming the fourth state to enact privacy legislation in the US.
The bill will head back to the Utah Senate, where it was passed earlier this year. Officials there need to decide whether they will accept the amendments added by House members before it heads to the desk of Utah Governor Spencer Cox. Cox did not respond to requests for comment about whether he will sign the bill if it makes it to his desk.
The Utah Consumer Privacy Act applies to companies with an annual gross revenue of $25 million and those that conduct business in Utah or produce goods for Utah residents. The bill also only applies to businesses that "control or process" the personal information of 100,000 Utah residents or "derive over 50% of its gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 residents."
The bill would take effect in December 2023 and would offer Utah residents the right to notice, access, portability, and deletion -- but does not offer people the right of correction. There are also exemptions for certain businesses. It includes an opt-out section that allows people to deny companies the right to target them with advertising or sell their personal information.
But the bill still allows companies to conduct automated profiling and largely excludes employee data as well as any data shared between businesses. There is an opt-out provision for "sensitive" information that forces companies to also notify customers if they are collecting biometric or genetic data, health information, citizenship data, sexual orientation, racial origin, and religious beliefs.
Like other US privacy laws, enforcement is managed by the Utah Attorney General's office but controversially does not allow for a private right of action. The Utah Department of Commerce Division of Consumer Protection will investigate companies based on customer complaints before handing the cases off to the Attorney General's office.
Dan Clarke, a US privacy law expert who has been consulted by lawmakers in multiple states on potential privacy legislation, told ZDNet that the Utah bill is modeled after Virginia's law, even though it does not include a requirement for assessments and is silent on following the Global Privacy Control signal.
"Laws like Utah that follow in the footsteps of Virginia are a good step towards consumer privacy at the state level, but they are generally more business-friendly and less restrictive. Many of the laws have a predominately opt-out mindset and have lower penalties, especially for non-compliance by companies that are endeavoring to try their best," Clarke said.
"There is nothing really groundbreaking in the Utah Consumer Privacy Act. UCPA's passage really just cements the trend that's been proliferating across legislatures in 2022, most of which follow Virginia as a template. One element that is unique is a provision for the attorney general to propose changes after an 'enforcement assessment,' but that won't happen until 2025."
Consumer Reports senior policy analyst Maureen Mahoney said the bill is "far too weak to protect consumers" and added that Consumer Reports has urged the Governor to veto the measure.
"It's important that any privacy law is workable for consumers -- that at the very least, as in California, they can opt out of the sale of their personal information at all companies in a single step, rather than having to hunt through hundreds if not thousands of sites one-by-one, looking for a way to opt out," Mahoney said.
"And the definitions should cover targeted advertising ,so that consumers can meaningfully opt out. Unfortunately, Utah's bill is even weaker than Virginia's industry-friendly measure, which lacked these key elements. Utah's measure does not have opt-in rights for sensitive data, has a weaker opt-out, and an even weaker enforcement scheme."
Mahoney added, "All of this means that consumers won't be able to control their data. It's a victory for companies like Google and Facebook."
Lisa Sotto, head of the global privacy and cybersecurity practice at law firm Hunton Andrews Kurth, explained that the Utah law differs from the Virginia law because it lacks a correction right -- which she said is out-of-step with global data protection laws -- and an opt-out, rather than opt-in, right for the use of sensitive data, which also is defined more narrowly than in the Virginia law.
"The Utah law is privacy protective but also reasonably business friendly. This is a welcome development in light of the current plethora of comprehensive privacy laws in the US, with a high likelihood of more to come," she said.
"Companies that have complied with the other three state privacy laws, whose effective dates precede that of the Utah law, are well-positioned to readily comply with the Utah requirements. It should be a relatively simple exercise to comply with the Utah law once a framework is in place for California, Virginia, and Colorado compliance."
The Utah legislation follows recent privacy laws enacted in Virginia and Colorado in 2021, as well as multiple laws in California over the last three years.
Several states have spent years attempting to pass their own privacy laws due to the lack of any movement on privacy legislation at the federal level. New York, Texas, Washington, and dozens of other states have faced issues in pushing through their own privacy laws through due to backlash from businesses that complain the bills will create a significant amount of extra work for effectively any business with a website.
Clarke, president at privacy company IntraEdge, said Washington just narrowly advanced their privacy law from the House appropriations committee, while laws in Indiana, Wisconsin, Oklahoma, and Florida are all currently cross-chamber and advancing rapidly.
"I think Utah's quick movement is more a result of off-screen negotiation to level the bill and unify after the 2021 debates with consumer advocate groups for a more comprehensive bill with private right of action, and opt-in didn't yield the results they wanted," Clarke said.
"The key stakeholders that wanted a more comprehensive law joined a collation deciding that something is better than nothing. This bill is a compromise between aggressive consumer privacy advocates and business-friendly supporters that was pre-wired."