Utah Becomes Fourth State to Enact a Comprehensive Data Privacy Law

On March 24, 2022, Utah followed California, Virginia, and Colorado in adopting a comprehensive consumer data privacy law.

On March 24, 2022, Utah Governor Spencer Cox signed the Consumer Privacy Act ("Act"), making Utah the most recent state to enact a comprehensive data privacy law. The Act takes effect on December 31, 2023. 

The Act will apply to entities that: (i) conduct business or target consumers in Utah; (ii) generate $25 million or more in annual revenue; and (iii) either process or control: (a) the personal data of at least 100,000 Utah consumers; or (b) the personal data of at least 25,000 Utah consumers and derive at least half their gross revenue from selling personal data. Under the Act, consumers include individuals who are Utah residents and are acting in an individual or household context. The Act applies to residents acting in an individual or household context, not an employment or commercial context.  

The Act borrows many core elements from peer legislation in California, Virginia, and Colorado. For example, the Act creates obligations for "controllers" (those determining the purposes and means of processing the personal data) and "processors" (those processing the personal data on a controller's behalf). 

Under the Act, controllers have obligations to, among other things: 

  • Disclose in a privacy notice various processing activities;
  • Provide consumers with clear notice and an opportunity to opt out of the processing of "sensitive data," including biometric and geolocation data;
  • Provide consumers with a right to opt out of targeted advertising or the sale of personal data;
  • Comply with requests from consumers to exercise their other rights to access, obtain a copy of, or delete personal data, and confirm whether a controller processes personal data; and
  • Maintain reasonable administrative, technical, and physical data security practices. 

The Act does not create a private right of action, and grants exclusive enforcement authority to the Attorney General. If businesses do not cure violations within 30 days of the Attorney General's notice, the Attorney General may collect statutory damages up to $7,500 per violation, and actual damages to the consumer. Funds received by the Attorney General will be deposited into a Consumer Privacy Account for investigation and administrative costs, attorneys' fees, and providing consumer and business education.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.