The newest state data privacy law, the Utah Consumer Privacy Act (the Act), was signed into law by Utah Governor Spencer J. Cox on March 24, 2022. This makes Utah the fifth state to pass its own privacy law instead of waiting for the federal government to enact a nationwide federal law.

There are other state laws pending in legislatures across the country, and we anticipate that some will be passed during this year’s legislative season.

Similar to the California, Nevada, Virginia and Colorado state privacy laws, the Act provides consumers with the right to:

  • access and delete personal data maintained by certain businesses;
  • opt out of the collection and use of personal data for certain purposes; and
  • know what data a business collects, how it uses personal data and whether it sells the data.

The Act also requires some businesses to:

  • safeguard data and provide transparency to consumers about how they collect and use data;
  • comply with a consumer’s request to exercise rights under the law; and
  • delete a consumers’ personal data or stop selling the data (with certain exceptions).

The Act also:

  • provides the Division of Consumer Protection jurisdiction to investigate consumer complaints regarding the processing of personal data; and
  • authorizes the Office of the Attorney General to enforce the law and impose penalties for violation.

The law includes broad definitions of personal and sensitive data, and requires controllers of data to provide notice to consumers of collection of personal data, minimize the amount of data collected, and have appropriate security measures in place to protect personal data after collection.

Significantly, the Utah law pivots away from the rights provided in the California Consumer Privacy Act by not providing a private cause of action if the law is violated.

The law, which becomes effective December 31, 2023, provides authority to the Attorney General to enforce its provisions and to seek recovery for actual damages of any consumer, and $7,500 per violation of the law. Any funds received by the Attorney General for enforcement of the law will be deposited into the Consumer Privacy Account, which is designated a restricted account; up to $4 million an be used for enforcement actions and  consumer education.

We anticipate more state privacy laws will be enacted this year. We will keep  you apprised on those laws as they are signed by governors.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.