To read the original article, please click here.
Utah is on the cusp of becoming the fifth state to pass consumer-privacy legislation, joining California, Colorado and Virginia. Earlier this year, Massachusetts advanced its privacy law through a bipartisan cybersecurity committee with a 12-0 vote.
The Utah Consumer Privacy Act (UCPA) follows Virginia’s privacy model that gives people leverage over the collection of personal information by businesses, including accessing and deleting information, getting a portable copy of the information and choosing to opt-out from sharing data that’s repurposed as third-party data for targeted ads.
But Utah stands out with some business-friendly changes, protecting small and medium-sized companies.
UCPA would apply if a company reaches an annual revenue threshold of $25 million and processes data of at least 100,000 consumers or it derives 50% of its gross revenues from the sale of such data while controlling and processing data of at least 25,000 consumers.
California’s CCPA has similar provisions while Colorado and Virginia do not have annual revenue thresholds.
The Utah bill does not require consenting before processing such data, only require the notification of consumers to opt-out.
Currently, lawmakers across 29 states are considering comprehensive privacy bills.
Businesses are finding it cumbersome to keep up with laws for each state. “It’s not only confusing but time-consuming and expensive” David O. Klein, managing partner at internet marketing and consumer-privacy firm Klein Moynihan Turco, told Adweek.
The law firm represents businesses that meet the revenue threshold for the privacy law. “We also drafted separate California privacy notices, updated [business] agreements with their marketing partners and vendors,” said Klein, “to make sure that everyone was complying with the CCPA.”
Klein Moynihan Turco is currently getting businesses ready to comply with Virginia’s and Colorado’s privacy laws effective Jan. 1, 2023, followed by Utah taking effect on Dec. 31, 2023, unless Gov. Spencer Cox vetoes it.
“The hope is that the federal government will enact a consumer-data privacy law that will preempt [further] state laws,” said Klein.
The Utah bill does not include a private right of action, a federal law that allows an individual, opposed to the government, to legally enforce their rights under a given statute. Instead, the Utah Division of Consumer Protection (DCP), will oversee consumer complaints. This means a business will be given 30 days to fix any violations.
Given the flexibility of the bill, “in almost every respect,” said Klein, “it’s going be a lot easier to comply with Utah than the other states,” and predicts other states to follow suit.
