Utah has joined California, Colorado and Virginia to become the fourth state to enact a comprehensive personal information privacy law. The law applies to any controller or processor with (1) annual revenue of $25,000,000 or more, and (2) who conducts business in Utah or produces a product or service that is targeted to consumers who are Utah residents, and (3) satisfies one or more of the following thresholds: (a) during a calendar year, controls or processes personal data of 100,000 or more consumers; or (b) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Under the new law, a “consumer” means an individual who is a resident of Utah acting in an
individual or household context, and does not include an individual acting in an employment or commercial context. A “controller” means a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether
the person makes the determination alone or with others. A “processor” means a person who processes personal data on behalf of a controller. “Process” means an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data. “Personal data” means information that is linked or reasonably linkable to an identified individual or an identifiable individual, but does not does not include deidentified data, aggregated data, or publicly available information.
Among other things, the law gives Utah residents certain rights, including the right to know whether the controller is processing the consumer’s personal data and to obtain access to that personal data, the right to delete personal data the consumer has provided to the controller, the right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a portable format (to the extent technically feasible), and the right to opt out of the processing of the consumer’s personal data for purposes of targeted advertising or the sale of personal data.
The new law goes into effect on December 31, 2023.