On March 25, 2022, Beehive State Governor Spencer J. Cox signed the Utah Consumer Privacy Act (the Act), making Utah the fourth state to enact its own unique take on comprehensive data privacy legislation.
In a March 8, 2022, post to the Free State Foundation's blog, I reported that the Act had passed both state legislative chambers unanimously and was "nearly certain" to become law. I also provided a general overview of the consumer rights and corporate responsibilities set forth therein.
Yesterday, Utah officially joined California (the California Consumer Privacy Act and the California Privacy Rights Act), Virginia (the Virginia Consumer Data Protection Act), and Colorado (the Colorado Privacy Act) on the steadily expanding list of states occupying the vacuum created by the absence of a preempting federal privacy law.Consequently, the logistic headaches for both consumers and businesses I described in "Inconsistent State Data Privacy Laws Increase Confusion and Costs," a March 2021 Perspectives from FSF Scholars, have become more intense.
On the bright side, the Act, which is based on the Virginia statute and appears to strike a workable balance between protecting the rights of individuals and allowing businesses to continue to innovate, potentially could serve as a promising model for the federal law we all eagerly await.
For one thing, it comes down on what I view as the right side regarding the contentious issue of a private right of action, leaving enforcement exclusively to the Office of the Attorney General.