Utah is likely the next in line to pass a comprehensive consumer privacy law, joining the ranks of California, Colorado, and Virginia. Senate Bill 227, the Utah Consumer Privacy Act (UCPA), was passed by the Utah legislature and sent to Governor Spencer Cox’s desk on March 3. Governor Cox has 20 days in which to either sign the bill into law or veto it, and if no action is taken the bill will become law. If enacted in its current form, the UCPA would take effect December 31, 2023.
The bill shares similarities with the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (Colorado CPA) but is expected to be more business-friendly. The key features of the bill are:
While the UCPA imposes some significant obligations on organizations that may not have previously been subject to the CCPA, CPRA, VCDPA, Colorado CPA, or the GDPR, organizations that are subject to any of these laws and have worked toward compliance will find significant overlap and have a head start in complying with the UCPA. However, organizations that will be subject to the UCPA and not previously subject to one of these laws may need to expend significant resources in compliance before the effective date of December 31, 2023. Such organizations should prioritize the following activities, many of which may be re-used across other applicable privacy regimes or that have general applicability to a mature privacy program:
For more information about the UCPA and its requirements, please contact any of the authors or any of the partner or senior counsel members of Foley’s cybersecurity practice.