On March 24, Utah governor signed the Utah Consumer Privacy Act into law, making Utah the fourth state to enact comprehensive consumer privacy legislation. The law goes into effect Dec. 31, 2023.
According to IAPP, the UCPA is both similar to and different from the consumer privacy laws of California, Virginia and Colorado. It draws heavily from the Virginia Consumer Data Protection Act and contains several elements from the Colorado Privacy Act. At first glance, certain aspects of the law bear resemblance to the California Consumer Privacy Act. In practice, however, the substance of the UCPA takes a lighter, more business-friendly approach to consumer privacy than all three of its predecessors.
How is Utah’s bill different?
IAPP provides great clarification on this new bill. They state that closely resembling the scope of the VCDPA, the UCPA “applies to any controller or processor who:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.”
As more states are forming privacy legislation, they are drawing elements from one another, but still creating their own stand alone clauses. How will this impact federal privacy legislation if it ever comes along?