Utah Set to Pass U.S.'s Next Data Privacy Bill
Utah looks like it will become the fourth U.S. state, after California, Virginia, and Colorado, to pass comprehensive consumer privacy legislation.
Last month, the state of Utah appeared to be on fast track to enacting the country's fourth comprehensive state data privacy law. Now it looks like the legislation is on the cusp of being passed.
The legislation, the Utah Consumer Privacy Act, passed both chambers of the state, the Senate and the House, unanimously, in less than a week last month; it cleared the Senate on February 25 with a 28-0 vote and the House 71-0 on March 2.
Now the bill, which would give residents in the state the right to know what personal data is being collected and let them ask that it be deleted, is poised to become law. It just needs to be signed into law by the state’s Governor, Spencer J. Cox, something he has until next week, March 24, to do.
If passed, the bill would create requirements around the processing of sensitive data, information like consumers' racial or ethnic origins, religious beliefs, sexual orientation, citizenship or immigration status, medical history or health information, biometric data, and specific geolocation data.
One reason is because in its current incarnation, the UCPA doesn’t grant a right of action for a violation, something that's been a sticking point for many privacy experts in the past but not for anyone who's reviewed it so far in Utah. That means enforcement - after companies are given a 30-day cure period to fix any violations - will be left to the state's Attorney General.
While states like California, which has its own agency, the California Privacy Protection Agency to implement and enforce the CCPA (and next year’s CPRA) it's unclear how much bandwidth Utah's AG office will have when it comes to doling out violations.
UCPA also doesn't require organizations fulfil a data protection assessment, something some states, like Virginia and Colorado with their laws, require before consumer personal data is processed.
Still though, given Utah is a Republican-controlled state, its assumed passage of the law could be a sign of things to come for similar states. As Bloomberg noted last week, the fact that the legislation is "more tempered" may lead to copycat bills.
If passed, the UCPA would apply to data controllers and processors who generate at least $25 million through business in the state or produces products targeted to the state's residents. The organization would have to process data on at least 100,000 state residents or make more than 50% of its revenue from the sale of personal data and process data on at least 25,000 residents.
Still, Utah looks like it will be yet another in what’s becoming a slow wave of states to pass general data privacy legislation.
With comprehensive consumer privacy bills already in the works in at least 24 other states, it’s looking more and more likely the country will have a patchwork of similar laws on the books in a year from now instead of a single federal law.
While compliance efforts around the UCPA may be a distant thought for some – if passed, it won’t take effect until December 31, 2023 - it should still serve as gentle reminder for organizations to ensure they’re aware of where their sensitive data resides. Organizations that have the proper administrative and technical safeguards in place to guarantee the confidentiality, integrity, and availability of sensitive data will be better equipped to comply to changing regulations, regardless of whether they're rolled out on a state-by-state or federal basis.