Press "Enter" to skip to content

Utah Speedily Becomes Fourth State to Enact Consumer Data Privacy Legislation

Utah Consumer Privacy ActOn March 24, Utah Gov. Spence Cox signed into law SB 227, the Utah Consumer Privacy Act.  This makes Utah the fourth state, behind California, Virginia, and Colorado, to enact comprehensive consumer data privacy legislation.

The Act will become effective Dec. 31, 2023.

The legislation moved quickly, from introduction to enrollment in less than a month, presumably due to its sponsors laying the groundwork in 2021 with SB 200.


The Act applies to any controller or processor that does business in Utah, or produces a product or service targeted to Utah consumers, and:

  1. has annual revenue of $25,000,000 or more; and
  2. satisfies one or more of the following thresholds:
    1. during a calendar year, controls, or processes personal data of 100,000 or more consumers; or
    2. derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

The Act contains a data-level and entity-level GLBA exemption, not applying to “a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations.”

Other exemptions include, in part, protected health information under the Health Insurance Portability and Accountability Act of 1996 Privacy Rule, and information subject to the Fair Credit Reporting Act.


The Act provides a consumer the right to:

  1. confirm processing of, and have access to, their personal data;
  2. delete personal data that was provided to the controller by the consumer;
  3. obtain a copy of their personal data; and
  4. opt out of the processing of their personal data if it is being processed for targeted advertising or sale.

Notably, the Act does not include the right to correct personal data, unlike the California (CPRA), Virginia, and Colorado acts.


A controller must require its processors to enter into a contract that:

  1. defines the specific purposes and limitations of the processing, including the duration;
  2. imposes a duty of confidentiality on the processor with respect to the personal data; and
  3. mandates a similar contract between the processor and any subcontractor.

The Act does not provide a private right of action.  In the event of a violation, the Attorney General may bring an enforcement action seeking actual damages to a consumer, and an amount not to exceed $7,500 for each violation.  The Act does require the Attorney General to provide a 30-day opportunity to cure a violation.


The Act is similar to the Virginia Consumer Data Protection Act and Colorado Privacy Act and businesses that are gearing up to comply with either or both should have little problem incorporating the Utah requirements. 

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.